OpenLDAP schemas supported in VMware vCloud Director 9.x
search cancel

OpenLDAP schemas supported in VMware vCloud Director 9.x

book

Article ID: 341315

calendar_today

Updated On:

Products

VMware Cloud Director

Issue/Introduction

This article provides information on OpenLDAP schemas supported in vCloud Director 9.x and the derivatives of OpenLDAP and schemas that can be used with vCloud Director 9.x when using an Open LDAP identity source.
It also provides information on the requirements for certain objectClasses and attributes and the limitations.

Environment

VMware Cloud Director for Service Provider 9.x

Resolution

Currently, vCloud Director supports the use of OpenLDAP as an identity source only if it satisfies all of these requirements:
  • The OpenLDAP schema is RFC4519 compliant
  • All users have an objectClass of inetOrgPerson
  • All groups have an objectClass of groupOfUniqueNames
  • All groups have a group membership attribute of uniqueMember
  • All users and group objects have entryUUID configured (The objects have a unique GUID and should not be changing)
Note: This is required for adding users or groups from OpenLDAP to any group or role apart from vSphere.local.
In vSphere 5.5a and later, entryUUID is no longer a required attribute for OpenLDAP users to authenticate, but it still remains a requirement for users/groups to add them into vsphere.local groups.
Users or objects that are deleted and recreated in the LDAP tree without preserving entryUUID may remove the users from vsphere.local groups.


Additional Information



Impact/Risks:
If any of these requirements are missing or if the schema is non-compliant, the OpenLDAP identity source is unsupported with vCenter Single Sign-On.