VMware Cloud Foundation 9.0: Setting Up Custom LDAP Service for an Organization in VCF Automation
If you have looked at VCF Automation in any detail you may be aware that you can configure one or more external identity providers (IdPs), and import users and groups to your organizations. This configuration can use an LDAP server connection which can be configured at either the system or the organization level, a SAML integration at the organization level, or an OpenID Connect (OIDC) integration at the organization level.
In one of my recent posts VMware Cloud Foundation 9.0: Setting Up VCF Single Sign-On with OpenLDAP I talked about setting up VCF Single Sign-On using the VCF Identity Broker component and OpenLDAP as the Identity Provider. As a follow on from that I decided to look at setting up OpenLDAP as an authentication source at the organizational level with a view to being able to demonstrate having completely separate authentication sources across organizations.
Official Broadcom Technical Documentation exists but in my view its not very detailed and lacks some critical detail, for reference you can view the following documents:
- Configure an Organization LDAP Connection in Your VCF Automation
- Edit, Test, and Synchronize an LDAP Connection Using Your VCF Automation Provider Management Portal
Let's take a look at the high-level process which consists of the following steps:
- Configuring an LDAP Identity Provider for an Organization
- Assign Organization Access Control
Configuring an LDAP Identity Provider for an Organization
In this procedure we walk through the process of configuring a custom LDAP Service and perform a simple test to validate the connection details.
Procedure
Log in to the VCF Automation Provider interface at https://<vcf_automation_fqdn>/provider as a user assigned System Administrator role.
In the main navigation select Infrastructure > Organizations.
Click the three dots next to the organization and click Launch Organizational Portal.
Select the Administer tab.
In the main navigation select Connections > Identity Providers.
In the Identity Providers page, click the LDAP tab.
Click Configure.
In the Edit LDAP Options dialog, select the Custom LDAP Service radio button and click Save.
Under LDAP, click the Custom LDAP tab.
Click Edit.
On the Edit Custom LDAP screen, select the Connection tab and enter the following details.
| Setting | Value |
|---|---|
| Server | mycloudyworld |
| Port | 389 |
| Base Distinguished Name | dc=mycloudyworld,dc=io |
| Connector Type | OpenLDAP |
| Authentication Method | Simple |
| User Name | cn=svc-vcf-ldap,dc=mycloudyworld,dc=io |
| Password | VMw@re1!VMw@re1! |
- On the Edit Custom LDAP screen, select the User Attributes tab and enter the following details.
| Setting | Value |
|---|---|
| Object Class | inetOrgPerson |
| Unique identifier | entryUUID |
| User name | uid |
| Display name | cn |
| Given name | givenName |
| Surname | sn |
| Telephone | telephoneNumber |
| Group membership identifier | dn |
| Group back link | (blank) |
- On the Edit Custom LDAP screen, select the Group Attributes tab and enter the following details.
| Setting | Value |
|---|---|
| Object Class | groupOfNames |
| Unique identifier | entryUUID |
| Name | cn |
| Member | member |
| Group membership identifier | dn |
| Group back link identifier | (blank) |
Click Save.
Click Test.
On the Test LDAP dialog, enter the password and click Test.
On the Test LDAP dialog, verify each object has a green tick and click Cancel.
Click Sync.
On the Synchronize LDAP dialog, click Sync.
Assign Organization Access Control
Now we have the Custom LDAP Service configured we can assign access to groups from the Identity Provider based on one of the following roles:
- Organization Administrator
- Organization Auditor
- Organization User
Procedure
Log in to the VCF Automation Provider interface at https://<vcf_automation_fqdn>/provider as a user assigned System Administrator role.
In the main navigation select Infrastructure > Organizations.
Click the three dots next to the organization and click Launch Organizational Portal.
Select the Administer tab.
In the main navigation select Access Control.
In the Access Control page, click the Groups tab.
Click Import Groups.
On the Import Groups dialog, enter the group name in the search text box.
Select the group you want to assign with a role.
Using the dropdown list under Assign Role, select Organization User and click Save.
Conclusion
Use this post as a reference to help configure a Customer LDAP Service for a VCF Automation Organization.