vRealize Automation 8: Directory Management

  • VMware, VMware Aria, vRealize

Table of Contents:

Tags:

In the previous blog posts, we described how to deploy vRealize Automation 8. In order to get it fully working, we have to configure Identity & Access Management accordingly.

Adding a Directory

Adding a directory can be done from the Lifeycycle Manager console as well as from the Identity Manager. The GUI is more or less the same, so we will focus on the latter one. Also note, most of the stuff when adding a directory is really similar to vRealize Automation 7.

First, log on to the Identity Manager and change to the Identity & Access Management. Click on Add Directory.

This image shows the dashboard of the Identity Manager interface in vRealize Automation 8. The dashboard includes various widgets that provide insights into user activities and system usage. On the left side, there is a gauge showing "3 Users Logged in Today" with icons representing the total number of users active today. Below this, another graph displays the count of different user types currently logged in, represented by icons for individual users and groups. The central part of the dashboard features a line graph titled "Logins" showing the trend of logins over the past week. Below the graph, a list displays application launches with details such as the application name, type, and the number of launches over the last 12 weeks. The right section of the dashboard is reserved for additional reports and statistics, which currently shows no reports. The top right corner has a search bar for finding specific users, groups, or applications.
This image displays the "Directories" section of the Identity Manager interface in vRealize Automation 8. It shows a list of two directories: "System Directory" and "VDI AD". The "System Directory" is identified as a Local Directory with 1 domain, 0 synced groups, and 2 synced users, and the "VDI AD" is an Active Directory with Integrated Windows Authentication (IWA) with 1 domain, 1 synced group, 14 synced users, and last synchronized on October 28, 2019, at 12:55:03 AM. Each directory entry provides options like "Sync Now" with a status indicator. The interface also includes navigation tabs such as Dashboard, Users & Groups, Catalog, and Identity & Access Management at the top, along with a search bar and administrative options on the upper right. There's a prominent "Add Directory" button suggesting the ability to add more directories to the system.

In my case, I chose Add Active Directory over LDAP/IWA (Integrated Windows Authentication).

On the first page, provide the following information:

  • Directory name
  • Active Directory over LDAP or Active Directory (Integrated Windows Authentication)
  • Keep the default Sync Connector
  • Do you want this Connector to also perform authentication? => Yes
  • Directory Search Attribute: sAMAccountName or UserPrinciple Name
  • For TLS, click on „This Directory requires all connections to use STARTTLS“ and provide a SSL Certificate
  • Domain Name
  • Domain Admin Username
  • Domain Password
  • Bind User Name
This image shows a configuration screen for setting up a directory in VMware Identity Manager, part of the vRealize Automation 8 suite. The configuration form is titled "VDI AD" and provides options to choose between "Active Directory over LDAP" and "Active Directory (Integrated Windows Authentication)." The form requires the selection of a Sync Connector, here chosen as "vr-identity.sclabs.net," and an Identity Provider labeled "WorkspaceIDP_1." Users are also required to specify the "Directory Search Attribute," set to "sAMAccountName" for user name attribute mapping. Additionally, there is a section for certificates, where users can opt for STARTTLS encryption and input Root CA certificates in PEM format. The "Join Domain Details" section at the bottom requests the domain name ("vdi.sclabs.net") and domain admin username ("guido") to join the Active Directory domain, highlighting essential settings for secure directory synchronization and authentication.
This image shows a configuration section within VMware Identity Manager for setting up user authentication details related to Active Directory integration. The section includes an option to "Enable Change Password" which allows Active Directory users to change their password. Below this, there is a "Bind User Details" form where the user needs to enter the username and password of a bind user, who has permissions to query users and groups for the required domains. In this form, "Bind User Name" is filled in as "guido". The form specifies that for the user name, the sAMAccountName should be entered, and if the bind user’s domain is different from the Join Domain entered above, the user name should be entered as sAMAccountName@domain, where domain is the fully-qualified domain name. The "Bind User Password" field is provided for entering the password, but it remains obscured for security reasons.

On the next page, choose the appropriate domain.

On the Mapped Attribute page, check the settings.

This image shows a table listing the attribute mappings between VMware Identity Manager and Active Directory. The table is organized with two columns: "Attribute Name in VMware Identity Manager" and "Attribute Name in Active Directory," both followed by a third column indicating whether each attribute is "Required." The mappings include: lastName to sn firstName to givenName email to mail userName to sAMAccountName phone to telephoneNumber disabled to userAccountControl employeeID to employeeID distinguishedName to distinguishedName userPrincipalName to userPrincipalName domain to canonicalName Each attribute from VMware Identity Manager is directly mapped to a corresponding attribute in Active Directory, facilitating user management and integration processes. The table also provides drop-down menus for each Active Directory attribute, allowing for possible adjustments in the mapping configuration.

In the next screen, select the groups (users) you want to sync. Specify the group DNs, for example:

CN=vraUsers,OU=VRA, DC=VDI, DC=SCLABS,DC=NET

his image shows a configuration interface from VMware Identity Manager for synchronizing user groups from Active Directory. The interface provides options to select groups for synchronization. The user can choose to sync nested group members by checking the "Sync nested group members" box. Below this, there's a section labeled "Specify the group DNs" with a text field and a checkbox to select the desired group DN, in this case, "CN=vraUsers,OU=UEMUsers, DC=VDI, DC=SCLABS,DC=NET." The right side of the interface includes buttons for selecting all groups, adding new group DN configurations, and deleting existing ones. At the bottom of the interface, a table displays the "Group DN" and the corresponding "Mapped Groups" with a note that all groups in this DN are selected. This setup aids in managing which Active Directory group DN's are synced into the VMware Identity Manager environment.

Next, choose the Users to be added.

Finally, review your settings and finish the assistant.

Once the wizard is completed, you will be directed to a summary page, where you see your configuration, the status and are able to trigger a new Sync.

This image shows the directory management interface for "VDI AD" in VMware Identity Manager. The interface provides options to configure Active Directory integration with settings for synchronization and authentication. The directory details displayed include the domain name "vdi.sclabs.net" and the type "Active Directory with IWA (Integrated Windows Authentication)". The sync connector is specified as "vr-identity.sclabs.net", and the identity provider is listed as "WorkspaceIDP_1". There are also configuration options for the directory search attribute, set to "sAMAccountName", and a section for certificates which requires STARTTLS encryption if enabled. The interface includes buttons for immediate synchronization ("Sync now"), modifying sync settings, and deleting the directory. This setup ensures that user management and directory synchronization are tailored to specific administrative and security requirements.

Autor

Dr. Guido Söldner

Geschäftsführer

Guido Söldner ist Geschäftsführer und Principal Consultant bei Söldner Consult. Sein Themenfeld umfasst Cloud Infrastruktur, Automatisierung und DevOps, Kubernetes, Machine Learning und Enterprise Programmierung mit Spring.

Alle Beiträge des Autors
Seit unserer Gründung im Jahr 2010 agieren wir auf regionaler, deutschlandweiter sowie internationaler Ebene und unterstützen Sie bei der Planung und Implementierung von komplexen IT-Umgebungen. In den letzten Jahren erreichten wir ein durchschnittliches jährliches Wachstum von circa 20%. Mittlerweile beschäftigt die Söldner Consult GmbH über 30 Mitarbeiter. Das Unternehmen wird durch die drei Brüder Prof. Dr. Jens Söldner, Dr. Guido Söldner und Dr. Constantin Söldner geführt.
Services
News
Unternehmen
Kontakt
Impressum | Datenschutz
Copyright 2024