Active Directory Integration in VIO 3.0

Size: px

Start display at page:

Download "Active Directory Integration in VIO 3.0"

Bernadette Stevens
5 years ago
Views:

Active Directory Integration in VIO 3.0 Active Directory integration is improved in VIO 3.0 by adding Active Directory config auto-detect. This document describes the changes.

1 Active Directory Integration in VIO 3.0 Active Directory integration is improved in VIO 3.0 by adding Active Directory config auto-detect. This document describes the changes. Day 1 It s possible to have local admin enabled and LDAP users at the same time in different keystone domains. This doc does not cover the topic. Please refer to Keystone Domain for details. 1. In order to communicate with Domain Controllers within your organization, please make sure DNS servers are properly set for OMS server, otherwise the OMS server may complain about Invalid Domain Name even you have entered the domain name inside your organization. Usually within a valid Active Directory domain, Domain Controllers will be also serving DNS requests. If you are using private gateways (i.e. setting a shared private network x.x inside VMware), make sure your gateway is capable of forwarding DNS requests to the Domain Controllers outside your private network. Domain Name, Bind User, Bind Password are required parameters to communicate with the Active Directory domain.

2 Please notice that you will still need to enter Domain Name during the setup when you import a deployment config file saved by VIO 1.x or 2.x. Limit Your Search on Domain Controllers There may be a large amount of Domain Controllers for a large group. Taking VMware as an example, there are more than 74 Domain Controllers inside VMware. Such kind of information can be retrieved through a DNS query. > nslookup querytype=srv _ldap._tcp.vmware.com Non authoritative answer: _ldap._tcp.vmware.com service = exrootdc02.vmware.com. _ldap._tcp.vmware.com service = exrootdc01.vmware.com. (74 records) The SRV records in DNS query answer above will give the information of available Domain Controllers inside your organization. user Format: (Priority) (Weight) (Port) (Target Host Name) Example: exrootdc01.vmware.com According to Microsoft technical articles, the priority can be used to decide the order to communicate with Domain Controllers. However, there are not so many cases in real life to indicate that the values are properly configured. Hence the order may change every time you configure VIO (This issue will not be solved until 3.x or later release). Also, there may be performance concerns to use all available Domain Controllers inside your organization. By default, OMS will go through every Domain Controller to verify the connectivity. OMS will not use those Domain Controllers which is unable to connect to ensure Keystone configure succeeded. Please notice that this may take a few minutes in a large Active Directory deployment like VMware. In order to keep the Domain Controller in a fixed order, you may manually input the Domain Controllers to use in the Domain Controllers input box. Multiple values can be delimited with, (comma) (i.e. exrootdc01.vmware.com, exrootdc02.vmware.com). OMS will respect the order you provide. If any Domain Controller you enter is unable to connect, OMS will inform you about the error immediately. Use Domain Controllers Close to Your Deployment If you have multiple sites inside your organization, you may want to use those Domain Controllers in the same site to ensure the connections are stable. LDAP requests across different geographical sites may become unreliable due to the weak WAN connections or limited

bandwidth. In such a case, you can provide a Site name to limit your search within the Domain Controllers within a specific site (i.e. PaloAlto, or Beijing for VMware).

3 bandwidth. In such a case, you can provide a Site name to limit your search within the Domain Controllers within a specific site (i.e. PaloAlto, or Beijing for VMware). All Domain Controllers in the same site will be used for later configuration. If any Domain Controller in the specified site you enter is unable to connect, OMS will inform you about the error immediately. Particularly, OMS can automatically detect the site within your organization. To allow this function to work properly, the IP address of OMS server must be set to a valid site IP address (i.e in VMware). Please notice that you cannot have both Domain Controllers and Site specified. Secure Your Connection By default, LDAPS will be used to communicate with Domain Controller if applicable. OMS will fall back to use LDAP when LDAPS is not available, in which case you may get a warning to inform you the connection may not be secure. Most organizations install certificates signed by their internal Active Directory CA on the Domain Controllers. This use case is officially supported in VIO 3.0. You will only need to specify which Domain Controllers you would like to use in your environment during the setup. Limit Your LDAP Query Result By default LDAP queries only return 1000 records for performance concerns. When Keystone performs LDAP queries, it may cause an error if the result contains more than 1000 records. You need to limit your LDAP queries not to exceed this hard limit in Keystone in a large Active Directory deployment which contains a lot of user and group objects (like VMware). You may use User Filter or Group Filter on the user or group search. OMS uses the following default values for User Tree DN and Group Tree DN. Please also notice the scope. # Attribute Default Value Scope Example 1 User Tree DN Root DN Subtree dc=vmware,dc=com 2 Group Tree DN The top level of user tree One Level cn=users,dc=vmware,dc=com As Active Directory schema differs in different organizations, please contact the Active Directory administrator or use tool like ldapsearch or Apache Directory Studio to find the proper values.

4 # Attribute Value applicable inside VMware 1 User Tree DN dc=vmware,dc=com 2 User Filter ( (department=cmbu_openstack_vio*)(samaccountname=vio-aut ouser)) 3 Group Tree DN OU=Distribution Groups,OU=Groups,OU=Corp,DC=vmware,DC=com 4 Group Filter (CN=VMware*) Attribute Mappings The following attribute names are used for attribute mappings in LDAP queries. If your Active Directory schema differs from the default value, use Advanced Setting to change the value. # Attribute Default Value Remarks 1 User Object Class organizationalperson 2 User ID cn Must be unique 3 User name userprincipalname samaccountname if you prefer short logon name as Windows Need to ensure all accounts have valid value for this attribute 4 Mail mail 5 User password userpassword As VIO does not support password change for LDAP users, this value is omitted. 6 User Account Control useraccountcontrol Check whether the user is enabled or not 7 Group ID cn Must be unique 8 Group Name samaccountname 9 Group Member member 10 Group description description

5 Advanced Setting You can use settings in Advanced Setting section to override default settings. Settings in Advanced Setting section have higher priorities. i.e. If you enter host name in Advanced Setting, values specified in Domain Controllers or Site will be ignored. Global Catalog Active Directory provides Global Catalog service to query against the whole forest without chasing the LDAP query through Domain Controllers in parent or sub domains. The Active Directory tree for the whole forest can be queried through Global Catalog service on a single Domain Controller. Global Catalog replicates the Active Directory forest automatically across different sites. By default not all attributes are replicated to reduce the data size across geographical locations. If you need to query against these non-replicated attributes, you should not use Global Catalog. Global Catalog is served on 3268 (LDAP) or 3269 (LDAPS). Please notice that Global Catalog may not be installed on all Domain Controllers. The following command can be used to query the availability of Domain Controllers which serves Global Catalog services. > nslookup querytype=srv _gc._tcp.vmware.com Non authoritative answer: _gc._tcp.vmware.com service = eatrootdc01.vmware.com. _gc._tcp.vmware.com service = exrootdc03.vmware.com. (...) If you would like to use Global Catalog, you can specify the port in Domain Controllers (parootdc01.vmware.com:3268,wdcrootdc01.vmware.com:3268) or Port input field explicly. Customized Features Some configuration items are not exposed on UI. You may use custom.yml to customize the values before deployment. # Configuration Item Key name in custom.yml Value Default Value 1 chase_referrals keystone_ldap_chase_referrals true/false false

6 2 ldap_url keystone_ldap_url LDAP URL (ldaps:// ) Please refer to custom.yml.sample for all configurable items. - Load Balanced LDAP URL By default, keystone will always use the first Domain Controller when multiple Domain Controllers are configured unless the first Domain Controller fails to serve LDAP requests. This failover behavior may take up to 10 minutes to finish when the user will be waiting during this period. Customers may have configured a Load Balanced LDAP URL to better handle the situation in their organizations. VIO 3.0 do not support Load Balanced LDAP URL from UI especially when LDAPS is also configured. In such a case, you need to use custom.yml to manually override the keystone ldap_url configuration. At the same time, you need to enter all the Domain Controllers to rotate on the UI for OMS to retrieve server certificates. This behavior may be subject to change in the future release (3.x) after we introduce the feature to Load Balancing Domain Controllers inside VIO. There is no plan to support this feature in VIO 3.0. Day 2 You can configure Active Directory in Day 2 operation.

7 The behavior is similar to Day 1.

Directory Integration with VMware Identity Manager

Directory Integration with VMware Identity Manager VMware AirWatch 9.1 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a