OpenLDAP schemas supported in VMware vCenter Single Sign-On
Article ID: 316480
Updated On:
Products
VMware vCenter Server
Issue/Introduction
This article provides information on OpenLDAP schemas supported in vCenter Single Sign-On and the derivatives of OpenLDAP and schemas that can be used with vCenter Single Sign-On when using an Open LDAP identity source. It also provides information on the requirements for certain objectClasses and attributes and the limitations.
For more information about Identity Sources in vSphere 8.0, see the Identity Sources for vCenter Server with vCenter Single Sign-On section of the vSphere Installation and Setup guide .
Earlier Versions
Earlier Versions
Environment
- VMware vCenter Server 8.0.x
- VMware vCenter Server 7.0.x
- VMware vCenter Server 6.7.x
- VMware vCenter Server 6.5.x
- VMware vCenter Server Appliance 6.0.x
Resolution
Currently, vCenter Single Sign-On supports the use of OpenLDAP as an identity source only if it satisfies all of these requirements:
- The OpenLDAP schema is RFC4519 compliant.
- All users have an objectClass of inetOrgPerson.
- All groups have an objectClass of groupOfUniqueNames.
- All groups have a group membership attribute of uniqueMember.
- All users and group objects have entryUUID configured (The objects have a unique GUID and should not be changing)
This is required for adding users or groups from OpenLDAP to any group or role apart from vSphere.local.
Note: In vSphere 6.0 and later, entryUUID is no longer a required attribute for OpenLDAP users to authenticate. However, it still remains a requirement for users/groups to add them into vsphere.local groups. Users or objects that are deleted and recreated in the LDAP tree without preserving entryUUID may remove the users from vsphere.local groups.
If any of these requirements are missing or if the schema is non-compliant, the OpenLDAP identity source is unsupported with vCenter Single Sign-On.
Additional Information
- For more information on configuring an OpenLDAP Identity Source, see Active Directory over LDAP and OpenLDAP Server Identity Source Settings
- For more information on RFC4519 schema standard for OpenLDAP, see RFC 4519 - Lightweight Directory Access Protocol (LDAP): Schema for User Applications.
- For more information on inetOrgPerson objectClass, see Definition of the inetOrgPerson LDAP Object Class.
- For more information on groupOfUniqueNames objectClass, see the groupOfUniqueNames section of RFC 4519 - Lightweight Directory Access Protocol (LDAP): Schema for User Applications.
- For more information on uniqueMember objectClass, see the uniqueMember section of RFC 4519 - Lightweight Directory Access Protocol (LDAP): Schema for User Applications.
- For more information on entryUUID attribute, see Lightweight Directory Access Protocol (LDAP) entryUUID Operational Attribute.
Feedback
Yes
No
Powered by
