VMware Cloud Community
ViCoS
Contributor
Contributor

Configuring VMO to use OpenLDAP

Hi,

In the lifecycle manager installation document it mentions that the appliance runs OpenLDAP (slapd) version 2.3.35. How can I configure VMO to use this rather than the AD? Is there any document that details this? I cant find any info in the install guide on this. Ideally I do not want to have to rely on the AD.

thanks,

Chi

Reply
0 Kudos
4 Replies
dconvery
Champion
Champion

I know...docs aren't the best in the world. I also know that the LCM Appliance uses OpenLDAP. Maybe you could disect it?

Dave

Dave Convery, VCDX-DCV #20 ** http://www.tech-tap.com ** http://twitter.com/dconvery ** "Careful. We don't want to learn from this." -Bill Watterson, "Calvin and Hobbes"
Reply
0 Kudos
cdecanini_
VMware Employee
VMware Employee

To achieve this you will have to setup the slapd.conf file and an ldif file. There are several examples on the web on how to do this. You can also follow the following procedure that was done for adding users to the applicance:

To add user in the ldap database; Follow the following example (paths are for OSX and have to be adapted for the OS you want to run LDAP on); You will have to find the existing ldif provided in the appliance and change it with new users, groups)

Init the database: look for the ldif provided in the appliance and edit accordingly.

Several tags are available (for more detail see the schemas in schema directory), the most useful are:

  • dn: distinguished name (composed by cn, ou and dc)

  • cn: common name

  • uid: id

  • name: name (generally, cn,uid and name are the same)

  • objectClass: determines the class of the entry

  • member: name of a member of the group if the entry is a group

Example: a) Create a user:

dn: cn=vsoadmin, ou=vso, dc=vsoappliance

cn: vsoadmin

uid: vsoadmin

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClas: inetOrgPerson (corresponds to "user" in Active Directory)

name: vsoadmin

userPassword: userPassword: 238Def2RyRMitcHImxm5FVS2IGI6lIDg

(to generate a password, open a terminal and type: "slappasswd" and you can enter

the password)

b) Create a group:

dn: cn=vsoadmins, ou=vso, dc=vsoappliance

cn: vsoadmins

uid: vsoadmins

name: vsoadmins

objectClass: top

objectClass: groupOfNames(specifies that is a group)

member: cn=vsoadmin, ou=vso, dc=vsoappliance

Start the server with the init-database:

In a terminal: (Warning ADAPT TO YOUR OS PATHS !http://communities.vmware.com/!! The commands should be the same. Stop slapd before doing any of this)

cd /etc/openldap

sudo rm -r /var/db/openldap/openldap-data/; sudo mkdir /var/db/openldap/openldap-data/ (clean the database)

sudo slapadd -f slapd.conf -l init-database.ldif (init the server with our init-database)

sudo /usr/libexec/slapd -d 255 (-d 255 is optional, allows to start the server in debug)You can also use an openldap web front-end which will make all of this for you.

Christophe.

If my answer resolved or helped you, please mark it as Correct or Helpful to award points. Thank you! Visit http://www.vcoteam.info & http://blogs.vmware.com/orchestrator for vCenter Orchestrator tips and tutorials - @vCOTeam on Twitter
Reply
0 Kudos
brianwatrous
VMware Employee
VMware Employee

I'm configuring VMO to use OpenLDAP (running on RedHat Enterprise Linux 3). I was experiencing failures in my attempts to configure the LDAP and Plugins tabs within the VMware Orchestrator Configuration utility. Specifically, the failures were occuring when attempting to use the "Test Login" capability (of the LDAP tab) and when attempting to authenticate to LDAP from the Plugins tab.

I fixed the problem by adding the "uid" line to my ldif file.

I've included my ldap.conf, slapd.conf, and ldif files below to provide another sample OpenLDAP configuration for others in the future.

Also, it wasn't clear to me during my attempts to get VMO and OpenLDAP configured to work together it wasn't clear to me what credentials that I needed to supply on the LDAP and Plugins tabs. What ultimately worked was using "vmoAdmin" (the short name for my LDAP user account).

ldap.conf

# $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.4.8.6 2000/09/05 17:54:38 kurt Exp $
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example, dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
HOST 127.0.0.1
BASE dc=example,dc=com
URI ldap://localhost
TLS_REQCERT

slapd.conf

# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27 20:00:31 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/redhat/autofs.schema
include /etc/openldap/schema/redhat/kerberosobject.schema
password-hash
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
#pidfile //var/run/slapd.pid
#argsfile //var/run/slapd.args
# Create a replication log in /var/lib/ldap for use by slurpd.
#replogfile /var/lib/ldap/master-slapd.replog
# Load dynamic backend modules:
# modulepath /usr/sbin/openldap
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
#
# The next three lines allow use of TLS for connections using a dummy test
# certificate, but you should generate a proper certificate by changing to
# /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it.
# TLSCertificateFile /usr/share/ssl/certs/slapd.pem
# TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
# TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
#
# Sample Access Control
# Allow read access of root DSE
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
#
#access to dn="" by * read
#access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default is:
# Allow read by all
#
# rootdn can always write!
#######################################################################
# ldbm database definitions
#######################################################################
database ldbm
suffix "dc=example,dc=com"
#suffix "o=My Organization Name,c=US"
rootdn "cn=ldapadmin,dc=example,dc=com"
#rootdn "cn=Manager,o=My Organization Name,c=US"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw vmware
# The MD5 password below is 'vmware'
rootpw cXICgynhE87XFanNV9bOA+EYBlY=
# rootpw secret
# rootpw ijFYNcSNctBYg
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd/tools. Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain
index objectClass,uid,uidNumber,gidNumber,memberUid eq
index cn,mail,surname,givenname eq,subinitial
# Replicas to which we should propagate changes
#replica host=ldap-1.example.com:389 tls=yes
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com@EXAMPLE.COM ldif

dn: dc=example,dc=com
dc: example
description: This is an example company.
objectClass: dcObject
objectClass: organization
o: Example
dn: ou=Employees,dc=example,dc=com
ou: Employees
description: All the employees in Example, Inc.
objectClass: organizationalUnit
dn: ou=Groups,dc=example,dc=com
ou: Groups
description: Groups in Example, Inc.
objectClass: organizationalUnit
dn: cn=vmoAdmin,ou=Employees,dc=example,dc=com
objectClass: person
objectClass: OrganizationalPerson
objectClass: inetOrgPerson
cn: vmoAdmin
sn: vmoAdmin
uid: vmoAdmin
userpassword:

cXICgynhE87XFanNV9bOA+EYBlY=
dn: cn=vmoAdmins,ou=Groups,dc=example,dc=com
objectClass: groupOfNames
cn: vmoAdmins
member: cn=vmoAdmin,ou=Employees,dc=example,dc=com

Reply
0 Kudos
brianwatrous
VMware Employee
VMware Employee

The formatting of the LDIF file in the example above is incorrect.

You need a blank line before each dn: entry.

Reply
0 Kudos