When attempting to configure ESXi hosts to use OpenLDAP for authentication, you will find no option to integrate with any directory service other than Microsoft Active Directory. This limitation occurs in all modern ESXi versions when trying to set up centralized authentication for host access. As a result, organizations using OpenLDAP or other non-AD directory services cannot directly authenticate users against ESXi hosts, requiring alternative approaches for user management.

Unlike vCenter Server, which can integrate with multiple directory services including OpenLDAP through its Single Sign-On (SSO) service, ESXi hosts themselves are limited to Active Directory integration only. This architectural limitation has existed since the service console was removed after ESX 4.x, eliminating previous generic LDAP capabilities that were once available.

The absence of OpenLDAP integration options affects both host-level SSH access and direct access through the ESXi Host Client, potentially complicating user management in environments that don't use Active Directory.

Seen in:

• ESXi 6.0 through ESXi 8.0, both standalone and vCenter-managed deployments
• vSphere 6.5 through vSphere 8.0 environments with OpenLDAP directory services
• Environments attempting to configure direct host authentication against non-Active Directory LDAP services
• All deployment types including standard clusters, vSAN clusters, and standalone hosts
• Both Windows-based and Appliance-based vCenter Server deployments with external identity sources

Note: This limitation has existed since the removal of the service console after ESX 4.x and applies to all modern ESXi versions regardless of hardware platform.

The ESXi host authentication subsystem is specifically designed to support only Microsoft Active Directory as an external directory service. VMware implemented this architectural design decision after removing the service console in versions following ESX 4.x.

ESXi's authentication mechanism uses Pluggable Authentication Modules (PAM) configured for Active Directory protocols. ESXi does not include components to interpret generic LDAP schemas from OpenLDAP or other non-Microsoft directory services.

This limitation exists at the host level only. At the vCenter Server layer, the Single Sign-On (SSO) service uses a different authentication architecture that includes support for multiple directory services including OpenLDAP.

Since ESXi hosts can only directly integrate with Microsoft Active Directory, you must implement one of the following workarounds to authenticate users from an OpenLDAP directory.

Workaround 1: Centralize Authentication at vCenter SSO Level

1. Log in to the vSphere Client as an administrator.
2. Navigate to Administration > Single Sign-On > Configuration.
3. Select the Identity Sources tab.
4. Click the + icon to add a new identity source.
5. Select OpenLDAP as the identity source type.
6. Enter your OpenLDAP server details:
   • Base DN: dc=example,dc=com (replace with your domain structure)
   • Domain name: your domain name
   • Server URL: ldap://server.example.com:389 or ldaps://server.example.com:636 for secure connections
   • Username: DN of bind account with permission to search the directory
   • Password: bind account password
7. Click Test Connection to verify connectivity.
8. Click OK to add the identity source.
9. Navigate to Administration > Access Control > Roles to create roles with appropriate ESXi host permission sets.
10. Assign these roles to users or groups from your OpenLDAP directory at the appropriate inventory level.

This approach requires users to authenticate through vCenter rather than directly to ESXi hosts, but provides centralized management of OpenLDAP permissions across your infrastructure.

Workaround 2: Use AD-Compatible Directory Services

1. Deploy a directory service compatible with Active Directory protocols, such as:
   • Samba Active Directory
   • FreeIPA with AD trust configuration
   • 389 Directory Server with AD compatibility layer
2. Configure the directory service to present as an Active Directory domain controller.
3. Log in to the ESXi host's management interface.
4. Navigate to Manage > Security & Users > Authentication.
5. Select Join Domain.
6. Enter the domain information:
   • Domain: your AD-compatible domain name
   • Domain Username: administrative account
   • Domain Password: account password
7. Click Join Domain.
8. Verify the join operation completed successfully.
9. Test authentication with an account from your directory service.

This approach allows direct ESXi authentication but requires additional configuration to make OpenLDAP appear as Active Directory.

Workaround 3: Use Local ESXi Accounts with Automation

1. Create a standard user account template for ESXi hosts.
2. For each ESXi host in your environment:
   • Log in to the ESXi host's management interface.
   • Navigate to Manage > Security & Users > Users.
   • Create local accounts with appropriate permissions.
3. To manage these accounts at scale, consider one of the following automation approaches:
   • Use Host Profiles to standardize user configurations.
   • Create PowerCLI scripts to apply consistent account settings:

     # Example PowerCLI script to add a user to all hosts
     $hosts = Get-VMHost
     foreach ($esxhost in $hosts) {
         New-VMHostAccount -Id username -Password $password -UserAccount -VMHost $esxhost
     } 

   • Use vSphere APIs to programmatically manage local users.
4. Implement a password rotation policy and procedure for local account management.

This approach works for environments where the number of ESXi hosts is manageable and centralized authentication is not a strict requirement.

For more information about ESXi authentication options and limitations, see the following resources:

Official Documentation

For more information, see:

• Authentication and Authorization for ESXi and vCenter Server which documents the supported directory services for ESXi hosts.
• Using Active Directory to Manage ESXi Users which describes how to integrate ESXi with Active Directory.
• Steps to enable the use of Active Directory accounts to open SSH sessions on ESXi which provides additional guidance on using AD with ESXi SSH access.
• Active Directory over LDAP and OpenLDAP Server Identity Source Settings which explains how to configure OpenLDAP as an identity source for vCenter SSO.
• Historical Context

VMware removed the ability to use generic LDAP servers (including OpenLDAP) directly with ESXi hosts when they eliminated the service console after ESX 4.x. Earlier versions of ESX with the service console did have limited support for non-AD LDAP integration.

Alternative Authentication Methods

In addition to the workarounds detailed in the Resolution section, consider these supplementary approaches:

1. For environments with strict compliance requirements, implement a federated identity solution where ESXi hosts authenticate to AD while AD maintains a trust relationship with your OpenLDAP directory.

2. For environments where ESXi SSH access is critical, consider implementing a privileged access management (PAM) solution that provides just-in-time SSH access using local accounts rather than attempting to integrate directly with OpenLDAP.

3. If you must maintain separate authentication systems, consider the vSphere Authentication Proxy service which can facilitate Active Directory authentication without directly exposing domain credentials to each ESXi host.

For more information, see vSphere Authentication Proxy which explains how to use the authentication proxy with ESXi hosts and Active Directory.