Logging in to your vCloud Director system/organisation via the web interface can be achieved in a number of ways. You can use local authentication (users local to vCloud Director), your Active Directory, or another LDAP v3 compliant directory service for authentication and group membership lookup.
After you connect vCloud Director to an LDAP server, you can import system administrators from the groups and users in the LDAP directory. You can also use the system LDAP settings to import users and groups to an organization, or you can specify separate LDAP settings for each organization. An LDAP user cannot log in to vCloud Director until you import them to the system or an organization.
1: vCloud Director does not support hierarchical domains for LDAP authentication.
2: vCloud Director cannot modify the information in your LDAP directory. You can add, delete, or modify LDAP users or groups only in the LDAP directory itself.
Below table shows supported combinations of Operating System, LDAP Server, and Authentication Method which vCloud Director supports.
Since this is my lab environment I am using unencrypted simple LDAP binds. But for production environment this is a very bad idea, as they pass the AD user credentials across the network in plain text.
If you tend to use simple LDAP binds then it should be encrypted using SSL. This is better, but it is still preferable not to send the password at all, encrypted or not.
If you don’t wish to send any kind of password across the network then you can use Kerberos authentication. With Kerberos, no passwords cross the wire – just encrypted Kerberos tickets with a limited lifespan.
If you are looking for using LDAP with SSL I would suggest you to look following 2 articles:
Enable LDAP over SSL with a third-party certification authority
Mike Laverick Blog
If you are looking for setting Kerberos authentication with vCD please follow the VMware KB 2015986
The below table lists the port details and their usage:
LDAP or Local Authentication?
As discussed earlier vCloud Director supports both LDAP and Local logins.
You can configure an OU structure on the domain to reflect the different organizations – and then allow the Organization just to be able to “see” the users and groups in that Organization. Alternatively, each Organization can have its one per-Org LDAP configuration.
Limitations with using local user accounts
There’s a whole bunch of limitations with local users which makes their use debatable.
- Groups cannot be used
- A minimum length of 6 character only
- No password complexity policies
- No password expiration policies
- No password history
- No authentication failure controls
- No integration with enterprise identity management system
One advantage of having local login is that it can serve as a backdoor entry to your cloud infrastructure when your directory services are down.
Lets have a look on how to configure LDAP for use with vCD
Login to the vCloud Director Web interface and navigate to Administration tab.
Under System Settings select LDAP. You have to supply following information:
server name: FQDN of your AD/LDAP server
port: LDAP port. Please refer the table shown above to identify the correct port
Base distinguished name: in the format (dc=example,dc=com)
SSL: check mark the box if you want to use LDAP with SSL
Additionally you can configure your vCD to use kerberos authentication. In this case you have to define the Kerberos Realm and credentials.
I am not using secure LDAP or Kerberos in my lab so my configuration looks like as shown below:
Do not modify the fields shown in below screenshot untill and unless your AD/LDAP admin have setup the server with specific settings. For most of the deployment default settings are enough and should not be touched.
Once you have filled up the LDAP details, hit Test LDAP button to check if vCD is able to contact LDAP. If the connection is successful between vCD and LDAP you will see a screen like as shown below:
You can search for a particular user account to verify vCD is able to pull up details of that user from LDAP. In the search box type username and hit Test button.
I hope this post is informational to you. You can hit like and share it on social media as well.