VMware Cloud Community
Feltrek
Contributor
Contributor
Jump to solution

Virtual Center Authentication against OpenLDAP

So far everything I have read mentions centralized authentication in the context of Virtual Center as using Active Directory.

Is it feasible to configure Virtual Center to use LDAP authentication and to assign users to Roles via the LDAP directory?

Thanks in Advance!

Reply
0 Kudos
1 Solution

Accepted Solutions
hicksj
Virtuoso
Virtuoso
Jump to solution

Technically anything is possible Smiley Happy I've heard rumors that alternate LDAP integration has been coded in the past, but never released. Have enough folks submit feature requests, and maybe you'll get somewhere.

While I personally have no desire to move away from my AD integration, I would prefer to see VMware provide a more open platform for management. That said, I don't think you'll see anything soon... folks have been screaming for linux VIC binaries for a LONG time, certainly in far more vocal numbers than those requesting open LDAP support. But it can't hurt to get on the list!

Best of luck, J

View solution in original post

Reply
0 Kudos
14 Replies
Saju_C
Enthusiast
Enthusiast
Jump to solution

Yes It is possible. I have tried authenticating ldap users in my test enviornment.

esxcfg-auth --enableldap --enableldapauth --ldapserver=<server_ip> --ldapbasedn="dc=example,dc=com"

Once you initiate the above command restart the hostd daemon with service mgmt-vmware restart.

Then you can assign the ldap users different roles using VI . (Permission tab/ add permission ......)

Feltrek
Contributor
Contributor
Jump to solution

Is this in the context of using Virtual Center which is a windows box?

What you provided looks like what you would do to configure a esx host to use ldap.

To clarify I want to see ldap users via Virtual Infrastructure Client when attached to our Virtual Center Management Server which as of now only appears to read either Local Windows accounts and groups or Active Directory accounts if a member of an AD domain.

I appreciate your help, I am just trying to clarify.

Reply
0 Kudos
Saju_C
Enthusiast
Enthusiast
Jump to solution

Thanks for being polite ....:)

As you mentioned I have explained the procedure to configure esx host to use LDAP server. Didint read the question properly......:)

No clue about the VC authentication against LDAP..

Thanks

Reply
0 Kudos
hicksj
Virtuoso
Virtuoso
Jump to solution

Technically anything is possible Smiley Happy I've heard rumors that alternate LDAP integration has been coded in the past, but never released. Have enough folks submit feature requests, and maybe you'll get somewhere.

While I personally have no desire to move away from my AD integration, I would prefer to see VMware provide a more open platform for management. That said, I don't think you'll see anything soon... folks have been screaming for linux VIC binaries for a LONG time, certainly in far more vocal numbers than those requesting open LDAP support. But it can't hurt to get on the list!

Best of luck, J

Reply
0 Kudos
grealish
Contributor
Contributor
Jump to solution

Hi just searching around from Virtual Center and LDAP Auth, but wondering has there been any developement in this area? LDAP would really help, I can't get a proper user account to query AD so stuck already

If there has been any experimentation at all please do let me know

Thanks in advance

Reply
0 Kudos
domboy
Contributor
Contributor
Jump to solution

I would like to know how to do this as well. So far my searching have come up with no answers...

Reply
0 Kudos
garou179
Contributor
Contributor
Jump to solution

I found one way you can do it

If you create local group and add the openLDAP domain users or groups to it. Then you can assign the local group permissions in vCenter and use your domain users to log on.

Reply
0 Kudos
RVTC
Contributor
Contributor
Jump to solution

does it specifically have to be a domain group added to the local group?

I created a new local group call "vcaccess"

Added two domain users to it,

and grant it administrator access to the VCenter and I still cannot authenticate via an ldap user.

Reply
0 Kudos
garou179
Contributor
Contributor
Jump to solution

Did you specify the domain in the user field <domain>\<user name>?

Reply
0 Kudos
RVTC
Contributor
Contributor
Jump to solution

Your fix was partially a resolution for me.

vCenter creates an AD LDS instance that has no ldap information or very little, since i couldnt find how to edit it live, I reverted my vcenter vm to prior to install.

I created an AD LDS instance with all the same naming convention the vCenter installer uses.

VMwareVCMSDS.

I created a seperate partition with my base dn values.  Installed vCenter.  By default domain admins ldap group is auto populated into the administrators group when you join the machine to the domain.

After the installation completed I was able to log into the vcenter server via ldap credentials.

Reply
0 Kudos
resh
Contributor
Contributor
Jump to solution

Hi RVTC.

Am also trying to setup vCenter with OpenLDAP.. Can you clarify on "

I created  a seperate partition with my base dn values.  Installed vCenter.  By  default domain admins ldap group is auto populated into the  administrators group when you join the machine to the domain.

"

Reply
0 Kudos
kpc
Contributor
Contributor
Jump to solution

I'd also really like to find a guide or help on this, I'm in the same boat.  We don't use AD in our environment only LDAP!!!

I'm just wondering if anyone has tried to get openldap compiled and working in the Linux vcenter?

UPDATE:

I've just noticed that the SuSE Vcenter 5 appliance comes with openldap, I'll try to connect this to our LDAP server.

Reply
0 Kudos
makruger
Contributor
Contributor
Jump to solution

At the company where I work we mostly use LDAP (and various other schemes) for authentication. Initially we had created domain controllers just to manage our vcenter users, but recently have begun retiring the DC's and are now simply using local authentication. It sure would be nice to authenticate against LDAP.  I may have to take a look at the Linux vCenter appliance. Hopefully MS SQL or MySQL support in the works as we don't use Oracle and DB2 express is not able to handle more than 50 VM's.

Reply
0 Kudos
kpc
Contributor
Contributor
Jump to solution

I'm not sure where you read about the 50 VM limit but that would kind of make the product pretty useless!  The appliance with the embedded DB2 can handle 400 hosts or 4000 VM's providing you give it enough vRAM.

I tried getting LDAP running by compiling in the packages but it didn't work and broke the internal security - in the end I just ran out of time to look at this.  I still think it's possible but someone with a greater understanding of Linux / package management / LDAP / security needs to take a look at this.

Not sure VMware will bother implementing this as so many shops use AD.

Reply
0 Kudos