Limitations of choosing Global Catalog in AD/LDAP in VCF SSO
Article ID: 386869
Updated On:
Products
VMware Cloud Foundation
Issue/Introduction
-
In VCF 9.0 SSO, customers can choose to integrate their Active Directory with VCF Identity Broker.
-
As part of this, there is an option to connect the Identity Broker to Active Directory's 'Global Catalog'.
-
A global catalog is a partial read-only replica directory of all universal objects across multiple domains in a single forest. However, there are known limitations to integrating with a global catalog.
Environment
VCF 9.0
Resolution
Some of the limitations with selecting the global catalog option include:
- The Active Directory object attributes that are replicated to the global catalog are identified in the Active Directory schema as the partial attribute set (PAS). Only these attributes are available for attribute mapping by the service. If necessary, edit the schema to add or remove attributes that are stored in the global catalog.
- The global catalog stores the group membership (the member attribute) of only universal groups. Only universal groups are synced to the service. If necessary, change the scope of a group from a local domain or global to universal.
- The bind DN account that you define when configuring a directory in the service must have permissions to read the Token-Groups-Global-And-Universal (TGGAU) attribute.
Feedback
Yes
No
Powered by
