From reading http://kb.vmware.com/kb/2037546 it looks like I need to have a service account with specific AD permissions for my AD to be used as an identity source for SSO but can anyone tell me the absolute (minimum) permissions it needs as the article just says "the service account must have sufficient permissions to read the properties and attributes of any user which you intend to have login capabilities in vSphere".
Would the population size of the Base DN make any difference to the SSO as I have a few AD accounts but none are working for me
I seem to recall a KB about that, but can't find it now. I would imagine, if even just from a security perspective its best to limit the base DN to an OU/CN with a limited number of users who should have access versus an entire domain.
I modified the Base User DN & Base Group DN to only search a subset of the domain and was able to use a standard AD user account to configure the AD identity source so I'm not sure if it was down to the population but did remove a large number of possible users from which SSO had to search
Do you know if it matters whether the Base DN has to exclusively contain only User objects?
It needs permission similar to the pre-windows 2000 compatabible access group, so ability to read user attributes, and groups and nested groups. In some environments even a domain admin might not have the necessary perms to perform this operation so it might not be a good way to test. Pre-Windows 2000 should at least get you working.
I would try looking up some ldap permissions...if I remember I think when I was setting up a Citrix Netscaler there was an article on the permissions needed for nested group extraction that showed you the exact permissions to set in AD that should be applicable here as well.