LDAP Integration in VMware Data Services Manager
I had a recent question about integrating VMware Data Services Manager with Microsoft Active Directory for users. This is indeed possible. In this post, I will demonstrate how Organization Admins and Organization Users can be integrated as Active Directory users, and subsequently granted access to Data Services Manager. This is achieved by configuring the LDAP settings in DSM to communicate with Active Directory in this example. The configuration steps include creating two AD Groups in AD, one for Org Admins and one for Org Users. These groups will then be added to one or more organizations in my DSM environment. This will allow members of the AD Groups to login to DSM and get access to the various organization, either at admin level or user level.
1. LDAP Settings
Below is an example of the LDAP Settings that I used to connect to my MS Active Directory. As you can see, many of the settings have been left at the defaults, which work just fine. You may like to fine tune these if necessary to suit your environment. Once saved, we will switch context to the Active Directory environment and create the appropriate groups.
2. Create AD Groups
For the purposes of this demonstration, I am going to create two new groups in Active Directory. One group will hold the names of the AD users that I want to have as DSM Org Admins and the other group will hold the names of the AD users that I want to have as DSM Org Users. Below are some simple group details.
After creating the groups, the next step is to add AD users to the groups. I am adding AD user Cormac (email@example.com) to the DSM Org Admins group and user Duncan (firstname.lastname@example.org) to the DSM Org Users Group. The idea is that chogan will be a DSM Org Admin and depping will be a DSM Org User, thus each will have different access levels in DSM.
3. Edit Organization to allow LDAP/AD user access
I now return to the DSM UI, and edit the organization(s) that I wish to allow to have AD user access. In this example, the focus is on an organization called newdevs. Note that under the LDAP integration section, it shows that LDAP Server Status is ON since LDAP has been configured previously, but there are no Admin Groups or User Groups configured for this organization.
Click on EDIT next to Organization Information. This will allow us to add Admin Groups and User Groups. At this point, we can add the AD Groups created earlier. In the Admin Groups section, we add the ‘DSM Org Admins’ group from AD, and in the User Groups, we add the ‘DSM Org Users AD’ group. This should allow user email@example.com access to this ORG as an Org Admin, and user firstname.lastname@example.org access as an Org User.
Click on Update and verify that the changes have taken effect.
4. Login to DSM as an AD User
The final step is to login to DSM as an AD User. If we login as user email@example.com, then we should have Org Admin access to the newdevs organization. Let’s see if that is true.
If everything is working as expected, we should be able to login and have Org Admin access. We can see that this is indeed the case. Success!
Similarly, if I logged in as user firstname.lastname@example.org, I should get user access to the organization. This also works as expected.
LDAP integration to Active Directory is now working in DSM. Note that you do not have control over selecting which individual users have access; it is all done at the AD Group level. So you will not be able to add LDAP/AD users directly as either Org Admins or Org Users. Instead, simply add the AD users to the AD groups that are associated with the DSM organization(s). However, after these users have logged in, they will appears in the users associated with an organization, as shown below.
A common follow up question to this is whether there is LDAP integration for the database users. At this point in time, we do not control this from within DSM (current version v1.4). However, it is a request that we have heard on a number of occasions so we have heard this loud and clear and are evaluating it as we go forward. However, for Org Admins and Org Users, we have you covered.