Skip to main content

Setting up an external LDAP authentication server

Users can use an external LDAP authentication server instead of the local LXCI for VMware vCenter authentication server on the management node.

Before you begin

  • The initial setup of LXCI for VMware vCenter must be completed before setting up the external authentication server.

  • The following external authentication servers are supported:

    • Microsoft Active Directory. It must reside on an outboard Microsoft Windows server that is able to communicate with LXCI for VMware vCenter appliance.

  • LXCI for VMware vCenter performs a connectivity check every 10 minutes to maintain connectivity to configured external LDAP servers. Environments with many LDAP servers might experience high CPU usage during this connectivity check. To achieve the best performance, specify only known, reachable LDAP servers when configuring LDAP Client.

  • Ensure that the LDAP users that can login this XClarity Integrator web interface are the members of the LDAP group in the LDAP server.

    Create the group and add the users to it in the LDAP server before configuring this LDAP Client:
    1. From the external authentication server, create a user account. For instructions, see the documentation of the LDAP server.

    2. Create a group in the LDAP server. The LDAP group name can be the default name LXCI-SUPERVISOR or other user-defined names. The group must exist within the context of the root distinguished name defined in the LDAP client.

    3. Add the user as a member of the group created previously.

Procedure

To configure LXCI for VMware vCenter to use an external authentication server, complete the following steps.

  1. Set up the user-authentication method for Microsoft Active Directory, do one of the following:
    • To use non-secure authentication, no additional configuration is required. The Windows Active Directory domain controllers use non-secure LDAP authentication by default.

    • To use secure LDAP authentication:
      1. Set up the domain controllers to allow secure LDAP authentication. For more information about setting configuring secure LDAP authentication in Active Directory, see https://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx.

      2. Verify that the Active Directory domain controllers are configured to use secure LDAP authentication:
        • Look for the LDAP over Secure Sockets layer (SSL) is now available event in the domain controllers Event Viewer window.

        • Use the ldp.exe Windows tool to test secure LDAP connectivity with the domain controllers.

      3. Import the LDAP server certificate, the intermediate certificates(if any), and the root certificate of the certificate authority signing the server certificate.

        1. From the left navigation pane of LXCI for VMware vCenter menu, click Security Settings.

        2. Click Trusted Certificates in the Certificate Management section.

        3. Click Add.

        4. In the Add window, click Choose File to upload the target certificate.

        5. Click Upload Certificate.

  2. Configure the LXCI for VMware vCenter LDAP client:
    1. From the left navigation pane of LXCI for VMware vCenter, click Security Settings > LDAP Client.
    2. Select one of these user-authentication methods:
      • Allow logons from local users. Authentication is performed using the local authentication. When this option is selected, users can only log in to LXCI with the local account.
      • Allow LDAP users first, then local users. An external LDAP server performs the authentication first. If that fails, the local authentication server performs the authentication.

        If this method is selected, do the following:

        1. Input one or more server addresses and ports.

        2. Input LDAP group name.

          Note
          • By default, the LDAP group name is LXCI-SUPERVISOR. Users can also input other names.

          • Select Use nested group search > OK, LXCI can search out the group and its parent group for the target user. This feature is only applicable to Active Directory.

        3. Select one of these binding methods:

          • Configured Credentials. Use this binding method to use the client name and password to bind LXCI for VMware vCenter to the external authentication server. If the bind fails, the authentication process also fails

            The client name can be any name that the LDAP server supports, including a distinguished name, sAMAccountName, NetBIOS name, or UserPrincipalName. The client user name must be a user account within the domain that has at least read-only privileges. For example:
            cn=administrator,cn=users,dc=example,dc=com
            example\administrator
            administrator@example.com
            Attention
            To change the client password in the external authentication server, ensure that the new password in LXCI for VMware vCenter is updated . If the client password is changed in the external LDAP server, users can log in to the Integrator using local account to update the new password.
          • Login Credentials. Use this binding method to use a LDAP user name and password to bind LXCI for VMware vCenter to the external authentication server.

            The specified user ID and password are used only to test the connection to the authentication server. If successful, the LDAP client settings will be saved, but the test login credential specified will not be saved. All future binds use the user name and password used to log in to LXCI for VMware vCenter.

            Note
            • Users should log in to LXCI for VMware vCenter using a fully-qualified user ID (for example, administrator@domain.com or DOMAIN\admin).

            • Users should use a fully qualified test client name for the binding method.

        4. In the Root DN field, specify the top-most entry in the LDAP directory tree. In this case, searches are started using the specified root distinguished name as the search base.
        5. In the User Search Attribute field, specify the attribute to use to search for the user name.

          When the binding method is set to Configured Credentials, the initial bind to the LDAP server is followed by a search request that retrieves specific information about the user, including the user DN and group membership. This search request must specify the attribute name that represents the user IDs on that server. This attribute name is configured in this field.

        6. In the Group Search Attribute field, specify the attribute name that is used to identify the groups to which a user belongs.

        7. In the Group Name Attribute field, specify the attribute name that is used to identify the group name that is configured by the LDAP server.

    3. Click Save.

      The LXCI for VMware vCenter attempts to test the configuration to detect common errors. If the test fails, error messages are displayed that indicate the source of the errors. For the Configured Credentials binding method, if the test succeeds and connections to the specified servers complete successfully, user authentication might still fail if:

      • If mis-configuration or changes are in the LDAP server, users can log in using the local account. It is recommended to keep a record of the local account and password.

      • The root distinguished name is incorrect.

      • The user is not a member of the LDAP group in the LDAP server.

    4. Click OK.

Results

LXCI for VMware vCenter validates the LDAP server connection. If the validation passes, user authentication occurs on the external authentication server when logging in to LXCI for VMware vCenter.

If the validation fails, the authentication mode is automatically changed back to the Allow logons from local users setting, and a message that explains the cause of the failure is displayed.

Note
The correct role groups must be configured in LXCI for VMware vCenter, and user accounts must be defined as members of the LDAP group in the LDAP server. Otherwise, user authentication fails.