Custom Active Directory configuration for VMware Aria Operations for Logs
search cancel

Custom Active Directory configuration for VMware Aria Operations for Logs

book

Article ID: 315989

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

This article provides guidance for customizing advanced options for Active Directory integration in VMware Aria Operations for Logs beyond what is available in the administrative user interface.

VMware Aria Operations for Logs supports integration with Active Directory for authentication. The administrative user interface provides settings for the Default Binding domain, a username and password, and whether it requires SSL.

Environment

VMware Aria Operations for Logs 8.x

Resolution

Specify advanced Active Directory configuration directives in XML form using one of the methods described in Changing internal configuration options in VMware Aria Operations for Logs (341917). You must use the web browser method to edit this configuration.

  1. Find or create the <authentication> tag. If Active Directory integration was enabled in the administration interface, it appears similar to:

    <authentication>
    <auth-method value="ACTIVE-DIRECTORY">
    <enabled value="true" />
    <ad-domain value="domain.example.com" />
    <ad-username value="active directory username" />
    <ad-password value="encrypted password" />
    </auth-method>
    </authentication>

     
  2. Optionally add or modify additional configuration options inside the <auth-method> tag:
     
    • <ad-protocols value="LDAP,LDAPS" /> - Protocol used for connections. Protocols will be tried in the order specified. This can only accept two values. It's either "LDAP" or "LDAPS". The old "LDAP,LDAPS" value is considered same as "LDAP".  If AD was previously trying to establish LDAP connection and if it does not succeed, it proceeds to LDAPS. now it will only try to establish connection with the specified protocol.
    • <ad-ldap-port value="389" /> - Default port used for connections. Common choices are 389 (LDAP) or 3269 (Global Catalog). Default of 0 uses port number returned from DNS lookup. This can be always overridden by the new "ad-port" config.
    • <ad-ldaps-port value="636" /> - Default port used for SSL connections. Common choices are 636 (LDAPs) or 3269 (Global Catalog). Default of 0 uses port number returned from DNS lookup. This can always be overridden by the new "ad-port" config.
       
    • <ad-search-base value="cn=configuration,dn=adtest,dn=local" /> - Custom search base used for Active Directory configuration partition. Default of blank will search the entire domain.
       
    • <ad-user-search-base value="cn=Users,dn=adtest,dn=local" /> - Custom search base used for User queries. Users outside this search base cannot be added in Users administration interface. Default of blank will search the entire domain.
       
    • <ad-group-search-base value="cn=Groups,dn=adtest,dn=local" /> - Custom search base used for Group queries. Group outside this search base cannot be added in Users administration interface. Default of blank will search the entire domain.
       
    • <ad-domain-servers value="ns1.example.com:ns2.example.com" /> - Colon-delimited list of domain controllers that will be used. The default of blank results in auto-discovery. If krb-domain-servers is specified, this should likely match.
       
    • <krb-domain-servers value="ns1.example.com:ns2.example.com" /> - Colon-delimited list of Kerberos domain controllers that will be used. The default of blank results in auto-discovery. If ad-domain-servers is specified, this should likely match.
       
  3. Restart the Log Insight service on all the nodes in the cluster for the configuration change to take effect.
service loginsight restart



Additional Information