This is part of my VCP7-CMA study guide – Objective 2.2: Create and Manage Directories.
Official Blueprint-
Knowledge
- Create and manage LDAP directory for Active Directory in vRealize Automation
- Create and manage Windows Integrated Authentication Directory in vRealize Automation
- Determine and configure appropriate user and directory binding details
- Evaluate directory synchronization health and troubleshoot issues
Tools
- Installing vRealize Automation 7.0
- Configuring vRealize Automation
- Reference Architecture
- Installing and Configuring vRealize Automation for the Rainpole Scenario
In vRealize 7.x VMware replaced the underlying identity management system from vCenter SSO to VMware Identity Manager (vIDM), vIDM is integrated to the vRA 7.x appliance and is easy to scale with the addition of another vRA appliance.
There are two options to link vRA to Active Directory –
- Active Directory over LDAP.
Create this directory type if you plan to connect to a single Active Directory domain environment. For the Active Directory over LDAP directory type, the connector binds to Active Directory using simple bind authentication. - Active Directory, Integrated Windows Authentication.
Create this directory type if you plan to connect to a multi-domain or multi-forest Active Directory environment. The connector binds to Active Directory using Integrated Windows Authentication.
Source – Installing and Configuring VMware Identity Manager > Integrating with Active Directory
Further reading –
- VMware Identity Manager (vIDM) and vRA 7
- Identity Management in vRealize Automation 7
- vRealize Automation 7 – Part 5, Identity Management
Create and manage LDAP directory for Active Directory in vRealize Automation
See “Create and manage Windows Integrated Authentication Directory in vRealize Automation”.
Create and manage Windows Integrated Authentication Directory in vRealize Automation
There are some great blog post about this, basically Active Directory over LDAP or Active Directory Integrated Windows Authentication (IWA) are configured almost the same. Note – There is a different between vRA 7.0 and vRA 7.2 with the addition of LDAP support for authentication and single sign-on in vRA 7.2.
Eric Shanks (The IT Hollow) – vRealize Automation 7 – Authentication
Michael Rudloff (Open902.com) – vRA7 – AD Integration
Michael Rudloff (Open902.com) – vRealize Automation 7.2 – Endpoints and AD Integration
Ben King (BK DC) – ADDING ACTIVE DIRECTORY AUTHENTICATION TO VRA7
Source – Configure a Link to Active Directory
Determine and configure appropriate user and directory binding details
When using Active Directory Integrated Windows Authentication (IWA) the vRA appliance will automatically be join the domain. The user you plan to use for binding the vRA to Active Directory need to have a “join computer to AD domain” permission.
If for some reason, the user you are using don’t have the rights to join a domain – follow this –
- Create the computer object in Active Directory, make sure the location (OU) meet your company policy. Also, make sure to use FQDN.
- On the Connectors page – click Join Domain and use any domain user account available in Directories Management.
Source – Join a Connector Machine to a Domain
Evaluate directory synchronization health and troubleshoot issues
Evaluating the directory synchronization is pretty straightforward, go to Administration -> Directories, on the directory that you had previously added you can see when was the last sync, if there are any alerts and the overall health (green icon).
You can drill down by clicking on the Directory Name and then to Sync Log.
Note the text –
For information about Users and Groups that were synced – click the Sync Details link.
To review the sync log – click the Alerts link.
Pingback: VCP7-CMA Study Guide | The SysAdmin Logs