How to configure vCloud Usage Meter 4.4 LDAP Authentication
search cancel

How to configure vCloud Usage Meter 4.4 LDAP Authentication


Article ID: 322104


Updated On:


VMware Aria Suite


The following information provides a sample configuration on how to get an LDAP setup with Usage Meter.


VMware vCloud Usage Meter 4.x



  1. A configured LDAP server.


Below is the sample configuration of a user LDAP authentication with Usage Meter.

  1. Replace the contents of /ec/nslcd.conf with information from your environment. See the example below:
root@photon-machine [ /etc ]# cat /etc/nslcd.conf
uid nslcd
gid ldap

uri ldap://xxx.lab
base dc=xxx,dc=lab
binddn CN=service,CN=Users,DC=xxx,DC=lab
bindpw <PASSWORD>

pagesize 1000
filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map    passwd uid              sAMAccountName
map    passwd homeDirectory    unixHomeDirectory
map    passwd gecos            displayName
filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map    shadow uid              sAMAccountName
map    shadow shadowLastChange pwdLastSet
filter group  (objectClass=group)
  1. Configure the nsswitch.conf in the following way:

    cat /etc/nsswitch.conf
hosts: files resolve dns
networks: files

protocols: files
services: files
ethers: files
rpc: files
passwd: files ldap group: files ldap shadow: files ldap
  1. Configure the system-auth file in the following way:
cat /etc/pam.d/system-auth
# Begin /etc/pam.d/system-auth
auth    required
auth    required onerr=fail deny=3 unlock_time=900 root_unlock_time=900 file=/var/log/tallylog
auth    sufficient
auth    required
auth    optional delay=4000000
  1. Configure the system-account file in the following way:
    cat /etc/pam.d/system-account
# Begin /etc/pam.d/system-account
account    sufficient
account    required file=/var/log/tallylog
account    required
# End /etc/pam.d/system-account
  1. Configure the system-password file in the following way:
    cat /etc/pam.d/system-password
# Begin /etc/pam.d/system-password
password    sufficient try_first_pass
password    requisite     minlen=10 minclass=4 difok=4 maxsequence=0 retry=3 enforce_for_root
password    requisite    retry=3 remember=5 enforce_for_root
password    required         sha512 shadow use_authtok
# End /etc/pam.d/system-password
  1. Configure the system-session file in the following way:
    cat /etc/pam.d/system-session
# Begin /etc/pam.d/system-session
session   required
session   required
session   optional
session   optional showfailed
session   optional
session   optional
# End /etc/pam.d/system-session
  1. Configure the vmware-um-pam file in the following way:
cat /etc/pam.d/vmware-um-pam
auth       sufficient /lib64/security/
auth       required   /lib64/security/
account    sufficient /lib64/security/
account    required   /lib64/security/
  1. The below attributes must exist on the LDAP server for the user who will log into Usage Meter 4.4:
uid           sAMAccountName
uidNumber     objectSid:<yourValue>
gidNumber     primaryGroupID
homeDirectory "/home/$sAMAccountName"
gecos         displayName
loginShell    "/bin/bash"
gidNumber      primaryGroupID


  • uid must be unique for the user and should not be associated with any existing user in the Usage Meter appliance.  See getent passwd for the full list of used uids.
  • gid must exist in the Usage Meter appliance before configuring the LDAP authentication. Use it to control what kind of privileges you want to give to the user. In most cases, use the usagemeger gid 1002.

Note: Making changes to /etc/pam.d generally needs a reboot to take effect. Once the above config is in place, reboot the appliance and try logging in.

Note: If you move the original config files and create new files, please ensure the permissions of the files are correct.

If configured correctly and when the user is attempted to log in to the Usage Meter web application, you should see the same domain user mapped in getent passwd.

root@photon-machine [ /etc ]# getent passwd
daemon:x:6:6:Daemon User:/dev/null:/bin/false
messagebus:x:18:18:D-Bus Message Daemon User:/var/run/dbus:/bin/false
systemd-bus-proxy:x:72:72:systemd Bus Proxy:/:/bin/false
systemd-journal-gateway:x:73:73:systemd Journal Gateway:/:/bin/false
systemd-journal-remote:x:74:74:systemd Journal Remote:/:/bin/false
systemd-journal-upload:x:75:75:systemd Journal Upload:/:/bin/false
systemd-network:x:76:76:systemd Network Management:/:/bin/false
systemd-resolve:x:77:77:systemd Resolver:/:/bin/false
systemd-timesync:x:78:78:systemd Time Synchronization:/:/bin/false
nobody:x:65534:65533:Unprivileged User:/dev/null:/bin/false
sshd:x:50:50:sshd PrivSep:/var/lib/sshd:/bin/false
polkitd:x:27:1000:PolicyKit Daemon Owner:/etc/polkit-1:/bin/false
nslcd:x:998:998:nslcd ldap user:/:/usr/sbin/nologin
ntp:x:87:87:Network Time Protocol:/var/lib/ntp:/bin/false
test:*:5000:1002:test:/home/test:/bin/bash                         <---------this is the domain user