Data Services Manager 9.0.1 Announced

It gives me great pleasure to announce the availability of VMware Data Services Manager (DSM) version 9.0.1. Over the coming weeks I will be deep-diving into many of these new features, but for now I want to provide you all with a brief overview of the capabilities and enhancements that you can find in this release. Automated Active Directory integration for MS SQL Server We continue to enhance our MS SQL Server integration. Although the data service is still in tech preview in DSM 9.0.1, a significant enhancement in this release is the ability to specify a privileged Active Directory…

Using ldap2pg to integrate between AD Groups and Postgres Roles

On a recent customer call regarding Postgres instances and databases provisioned by Data Services Manager (DSM), there was a question regarding Active Directory / LDAP integration. Specifically, there was a question on how to automatically provide an Active Directory / LDAP group access to a Postgres database. Now, as many readers are aware, DSM already supports Directory Services such as Active Directory and LDAPS for Postgres databases. See this earlier blog post on how to do that. But once Directory Services is configured in DSM, and selected during Postgres database provisioning, the DBA needs to create logins and grant access…

Configuring LDAPS for database access in DSM v2.1

Data Services Manager version 2.1 introduces a much anticipated feature. This is the ability to use LDAPS to give users access to databases. Version 2.0.x already had LDAPS support for user access to the DSM Provider Appliance Portal/UI. Version 2.1 extends that support to the databases which DSM provisions. In this post, we will see how to configure secure LDAPS to connect to Active Directory, and then the steps which are used to grant users access to the databases. We will see how this can be done at database creation time, but also how it can be done after the…

LDAP Integration in VMware Data Services Manager v1.4

I had a recent question about integrating VMware Data Services Manager v1.4 with Microsoft Active Directory for users. This is indeed possible. In this post, I will demonstrate how Organization Admins and Organization Users can be integrated as Active Directory users, and subsequently granted access to Data Services Manager. This is achieved by configuring the LDAP settings in DSM to communicate with Active Directory in this example. The configuration steps include creating two AD Groups in AD, one for Org Admins and one for Org Users. These groups will then be added to one or more organizations in my DSM…

TKG v1.4 LDAP (Active Directory) integration with Pinniped and Dex

LDAP integration with Pinniped and Dex is a topic that I have written about before, particularly with TKG v1.3. However, recently I had reason to deploy TKG v1.4 and noticed some nice new enhancements around LDAP integration that I thought it worthwhile highlighting. One is the fact that you no longer need to have a web browser available in the environment where you are configuring LDAP credentials which was a requirement is the previous version. In this post, I will deploy a TKG v1.4 management cluster on vSphere. This environment uses the NSX ALB to provide IP addresses for both…

Using Tanzu Mission Control for managing LDAP/AD access policies for workload clusters

I’ve recently been looking at some of the features around Tanzu Mission Control. Tanzu Mission Control (or TMC for short) is a VMware SaaS offering for managing and monitoring your Kubernetes Clusters across multiple clouds. My particular interest on this occasion was around the access policy features, especially when the Tanzu Kubernetes Grid (TKG) workload clusters were deployed with LDAP/Active Directory integration via the Pinniped and Dex packages that are available with TKG. In this post, I will rollout my TKG management cluster, followed by a pair of TKG workload clusters. The TKG management cluster will be automatically integrated with…

TKG v1.3 Active Directory Integration with Pinniped and Dex

Tanzu Kubernetes v1.3 introduces OIDC and LDAP identity management with Pinniped and Dex. Pinniped allows you to plug external OpenID Connect (OIDC) or LDAP identity providers (IDP) into Tanzu Kubernetes clusters which in turn allows you to control access to those clusters. Pinniped uses Dex as the endpoint to connect to your upstream LDAP identity provider, e.g. Microsoft Active Directory. If you are using OpenID Connect (OIDC), Dex is not required. It is also my understanding that eventually Pinniped with eventually integrate directly with LDAP as well, removing the need for Dex. But for the moment, both components are required.…