This article provides guidance for customizing advanced options for Active Directory integration in VMware Aria Operations for Logs beyond what is available in the administrative user interface.
VMware Aria Operations for Logs supports integration with Active Directory for authentication. The administrative user interface provides settings for the Default Binding domain, a username and password, and whether it requires SSL.
VMware Aria Operations for Logs 8.x
Specify advanced Active Directory configuration directives in XML form using one of the methods described in Changing internal configuration options in VMware Aria Operations for Logs.You must use the web browser method to edit this configuration.
<authentication>
tag. If Active Directory integration was enabled in the administration interface, it appears similar to:<authentication>
<auth-method value="ACTIVE-DIRECTORY">
<enabled value="true" />
<ad-domain value="domain.example.com" />
<ad-username value="active directory username" />
<ad-password value="encrypted password" />
</auth-method>
</authentication>
<auth-method>
tag:<ad-protocols value="LDAP,LDAPS" />
- Protocol used for connections. Protocols will be tried in the order specified. This can only accept two values. It's either "LDAP" or "LDAPS". The old "LDAP,LDAPS" value is considered same as "LDAP". If AD was previously trying to establish LDAP connection and if it does not succeed, it proceeds to LDAPS. now it will only try to establish connection with the specified protocol.<ad-ldap-port value="389" />
- Default port used for connections. Common choices are 389
(LDAP) or 3269
(Global Catalog). Default of 0
uses port number returned from DNS lookup. This can be always overridden by the new "ad-port" config.<ad-ldaps-port value="636" />
- Default port used for SSL connections. Common choices are 636
(LDAPs) or 3269
(Global Catalog). Default of 0
uses port number returned from DNS lookup. This can always be overridden by the new "ad-port" config.<ad-search-base value="cn=configuration,dn=adtest,dn=local" />
- Custom search base used for Active Directory configuration partition. Default of blank will search the entire domain.<ad-user-search-base value="cn=Users,dn=adtest,dn=local" />
- Custom search base used for User queries. Users outside this search base cannot be added in Users administration interface. Default of blank will search the entire domain.<ad-group-search-base value="cn=Groups,dn=adtest,dn=local" />
- Custom search base used for Group queries. Group outside this search base cannot be added in Users administration interface. Default of blank will search the entire domain.<ad-nested-groups value="false" />
- Whether to enable traversing nested group membership. Default of false
will only honor direct group membership.<ad-nested-groups-matching-chain-rule value="true" />
- Whether to leverage LDAP_MATCHING_RULE_IN_CHAIN
to query nested group membership. Supported in Log Insight 3.3 and later when connected to Active Directory servers with Domain Functional Level 2008 and later, with default of true
. Can be reverted to Log Insight 3.0 behavior by setting to false
.<ad-nested-groups-matching-chain-rule-use-dn value="false" />
- Whether to use the full distinguished name to match objects. Supported in Log Insight 3.6 and later, with default of false
. Can be reverted to Log Insight 3.3 behavior by setting to true
.<ad-nested-groups-query-timeout value="30000" />
- Timeout in milliseconds of the nested group query. Default is 0
, no timeout.<ad-domain-servers value="ns1.example.com:ns2.example.com" />
- Colon-delimited list of domain controllers that will be used. The default of blank results in auto-discovery. If krb-domain-servers
is specified, this should likely match.<krb-domain-servers value="ns1.example.com:ns2.example.com" />
- Colon-delimited list of Kerberos domain controllers that will be used. The default of blank results in auto-discovery. If ad-domain-servers
is specified, this should likely match.