I need to authenticate users from multiple ldap servers in a single cloud. How is that done? Has anyone successfully been able to do it?
I really don't want to have to make separate orgs for each user base.
Unless I am missing something you do want to make sure to have at least one org, as users at the top level (system) are all administrators and can perform any action in the system. Org level users at least let you setup some control via access rights.
If you are trying to get all your users in one org, that can be done as long as you are using a support LDAP system in a supported configuration. (One point that gets lots of people, is the LDAP server must have users in groups - and many do not if they have just been used for authentication needs)
I'm guessing you created an organization and you want users from more than 1 LDAP to have access to it? If so I think this could be done using Active Directory and sub domains. You would point LDAP settings within the VCD Organization to the Parent Domain, create a group within the AD Parent Domain and add users from the sub-domains.
You could probably come up with some stand-alone LDAP system (like OpenLDAP) and sync to other domains as well but not sure how complicated that would be.
My problem is that the AD has two top level branches that are mutually exclusive, they are not sub-domains, not for users anyway. I think my only way is to create an LDAP server locally that pulls in the user data from both top level branches. Has anyone done this? This is an org level ldap setup. I basically want vcloud to search through the two ldap organizations to validate the users.
LDap support in VCloud is very very limited right now. You might need to look at something like an OpenLDap server with some support to link it to AD and handle the groups in OpenLDap. (I have not done it but heard that some people have tried this before).
I have been bugging VMware for a while to make the LDap integration in VCloud a little more feature rich.
I have done a one-way sync from AD to OpenLDAP on a scheduled basis for a Intranet site before and wasn't too hard to get going. We were doing a fresh sync each time so deleted and disabled user accounts would go away. I'm not sure if you can import from 2 AD's though and know when the users are no longer active. You might check into that first.