Monday, July 25, 2016

vCenter Appliance: LDAP Integration

Who wants to give out their root password whenever they need to have IT staff manage their VMware environment? No one. Fortunately this one is fairly straightforward. Our goal in the end will be to land on the vSphere vCenter Web Portal and be able to check the box to pass through our Windows credentials. For this sample I am going to utilize a group call VMware-FullAdmins as my security group and the domain administrator account for validation. Avoid using the AD administrator account in any production environment. Set up a delegated VMware administrators group and assign those users needing permissions.

  1. Log into the vSphere console at <IP>:9443 with the administrator@vsphere.local account. You will need to use the web console. The fat client has had this option removed in latest versions. 
  2. Find the Administration node. You should have Single Sign-On > Configuration available to select.
  3. You will have Policies / Identity Sources / Certificates tabs. Select Identity Sources.
  4. Click the Plus to add a source.
  5. Entered the information for your domain. Keep in mind that the Alias field cannot have punctuation - is should be the shortname for your domain. Sample information below.
    Name: MyDomain.Local
    Server URL: ldap://lserver.mydomain.local:389
    Type: ActiveDirectory
    Domain: MyDomain.Local
    Alias: MyDomain
  6. Now that your source is available for authentication we will want to add our VMWare-FullAdmins group for access.
  7. Select vCenter Servers in the left menu column
  8. On your vCenter server right-click and select All vCenter Actions>Add Permission.
  9. You can now select to search MyDomain.Local for VMware-FullAdmins and add it at this level to have full administration capabilities for the environment.
  10. Now just populate VMware-FullAdmins with those you need to manage your environment and you can stop handing out your built-in privileged accounts!








No comments:

Post a Comment