Configuring Active Directory for VMware vCloud Request Manager

Products

VMware Cloud Director

Issue/Introduction

This article provides the prerequisites and procedures to configure Active Directory to support VMware vCloud Request Manager.

Environment

VMware vCloud Request Manager 1.0.x

Resolution

VMware vCloud Request Manager populates its users by accessing the same Microsoft Active Directory domain that is used by VMware vCloud Director. Therefore vCloud Request Manager server should be located within that same domain, having access to the same Microsoft Active Directory domain that is used by VMware vCloud Director.

vCloud Request Manager Active Directory integration requires an existing single group or organization unit within the directory that contains every user that plans to use vCloud Request Manager. For example, if all the required users reside in the Engineering organizational unit (OU) you could enter LDAP://.../OU=Engineering,dc=mydomain,dc=com for the connection string.

You need to check that the User <> Manager relationship is established in Active Directory.

Note: vCloud Request Manager does not recognize users that have been manually created as local users in vCloud Director. It only recognises those users that have been imported from the Active Directory server.

Ensure that you meet these prerequisites for configuring Active Directory for vCloud Request Manager:

You have vCloud Administrator privileges
vCloud Request Manager has access to the Active Directory source
vCloud Request Manager is connected to a specific domain controller, not just a domain

During the installation of vCloud Request Manager, you created an Active Directory source. You can use the vCloud Request Manager Admin Portal to reconfigure your Active Directory settings.

To configure Active Directory:

Log in to the Request Manager Admin Portal.
Click Integration.
Click Sources on the Main tab in the left explorer panel.
Select Active Directory and click the Select External Source button.
Enter or modify the settings for the Active Directory source.
1. Type a name to identify the Active Directory source.
2. Select a status for the source.
3. - Select Active to use the source throughout Request Manager.
  - Select Inactive to disable the source throughout Request Manager.
4. Type the full LDAP server path of the Active Directory server. This must include the protocol, server, and root naming context and can optionally include a port number or a group of users. For example:
5. - LDAP://myldapserver.mydomain.com:port/OU=mygroup/dc=mydomain,dc=com
  - ldap://dc=mydomain,dc=com/
    
    Note: You must use capital letters for the LDAP prefix. For LDAP over SSL, type LDAP:// for the server path and choose SSL.
6. Type the user DN/ID.
  
  This is the Windows account used to connect to the Active Directory server. You can type the user principal name (for example login@domain), or the flat domain name (for example, domain\user). If you do not provide a User DN/ID, the connector uses the credentials of the executing accounts, in this case the Web server and Integration service. Ensure that both these accounts have appropriate rights.
7. Type the password used to authenticate the user.
8. If the connection string provides a specific server, select Server Bind for optimal performance. Do not select this option for serverless connection strings.
9. If the connection to Active Directory uses SSL, select SSL. To use SSL, the Active Directory security certificate must be installed in the Trusted Root Certification Authorities > Local Computer folder.
10. Select Kerberos/NTLM to use Kerberos/NTLM to authenticate the connection.
11. Type the NT Domain Name of the Active Directory Server.
12. Select Authenticate Imported People against Source to authenticate users logging into the Request Manager User Portal with their Active Directory credentials. This options uses AD credentials and not the credential defined within Request Manager.
Click Test.
Click Save.