Convert existing Log Insight users' identity source from Active Directory to VMware Identity Manager in vRealize Log Insight
search cancel

Convert existing Log Insight users' identity source from Active Directory to VMware Identity Manager in vRealize Log Insight

book

Article ID: 343199

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

VMware vRealize Log Insight supports integration with VMware Identity Manager (VIDM), which provides single sign-on for multiple identity sources, including Active Directory. It is recommended to migrate user accounts to VMware Identity Manager.

Each user account in Log Insight has a unique identity associated with their saved fields, dashboards, alerts and other saved content. If two identity providers are present and a person authenticates with both, they may have two independent sets of saved content.

This article provides steps to convert existing Log Insight users' identity source from Active Directory to VMware Identity Manager.

 

Environment

VMware vRealize Log Insight 4.7.x
VMware vRealize Log Insight 4.8.x
VMware vRealize Log Insight 8.x
VMware vRealize Log Insight 8.1.x

Resolution

To convert Active Directory users to VMware Identity Manager users in vRealize Log Insight:
Note: Only lowercase users are supported for migration from AD to vIDM.

Prerequisites

  • You have enabled the Active Directory (AD) integration features in Log Insight.
  • You have enabled the VMware Identity Manager (vIDM) integration features in Log Insight.
  • Your VMware Identity Manager instance integrates with the same Active Directory instance that is currently used by Log Insight.

Procedure

  1. Open a console or SSH session to one of the vRealize Log Insight cluster members and authenticate as root.
     
  2. Run the command:

    /opt/vmware/bin/li-convert-ad2vidm.sh

    The output contains a list of vRealize Log Insight Roles.
     
  3. Identify one of the roles to be converted. The selected role will apply to all users belonging to Active Directory groups which have been granted access to the vRealize Log Insight cluster.

    The Output contains a table with these headings:
     
    • id - This is the identifier for the Role.
    • directory_groups - The Active Directory groups currently assigned the Role.
    • name - This is the friendly name associated to the Role that you see in the UI.
    • capabilities - These are the capabilities for the Roles.
       
  4. Run the command again, specifying one of the role ids from step 3:

    /opt/vmware/bin/li-convert-ad2vidm.sh id

    For example:

    Assigning Users role to all AD users.

    /opt/vmware/bin/li-convert-ad2vidm.sh 00000000-0000-0000-0000-000000000002

    The output will describe the outcome of the conversion. Duplicate users may need to be handled manually.
     
  5. Repeat steps 3 and 4 for each role to be converted.



Additional Information

For more information about VMware Identity Manager and Log Insight, see https://blogs.vmware.com/management/2017/06/vidm-log-insight.html published 2017-06-20.

Impact/Risks:

This migration solution is limited to altering 500,000 vRealize Log Insight users. For larger scale, please contact Broadcom Support.

 

Powered by Wolken Software