Add Active Directory over LDAP

Using
VMware Aria Suite Lifecycle
, you can create an Active Directory over LDAP directory type to connect to a single Active Directory domain environment. For the Active Directory over LDAP directory type, the connector uses a simple bind authentication.
  • List the Active Directory groups and users to sync from Active Directory.
  • Verify that you have specified the required default attributes and add additional attributes on the User Attributes definition.
  • Verify that you have the required user credentials to add a directory.
  1. Click
    Identity and Tenant Management
    on the
    My Services
    dashboard.
  2. On the
    Directory Management
    tab, click
    Directories
    .
  3. Click
    Add Directory
    and select
    Add Active Directory Over LDAP
    .
  4. Enter the following information by using the
    Directory Detail
    tab:
    Fields
    Description
    Directory Information
    Enter a valid directory name.
    Directory Sync and Authentication
    Select the connector to sync with Active Directory. Connector is a
    VMware Workspace ONE Access
    service component that synchronizes users and group data between Active Directory and
    VMware Workspace ONE Access
    service.
    When used as an identity provider, it also authenticates users. Each
    VMware Workspace ONE Access
    appliance node contains a default connector component. When required a dedicated connector can also be deployed through a global environment scale-out.
    Authentication Enabled
    If you want the connector to perform authentication, select
    Yes
    .
    You can indicate whether the selected connector also performs authentication. If you are using a third-party identity provider to authenticate users, click
    No
    .
    Directory Search Attribute
    Select an account attribute from the drop-down menu that contains a user name.
    Server Location
    Select
    Directory supports DNS Service Location
    check box.
    • If your Active Directory requires access over SSL/TLS, select the
      Directory requires all connections to use STARTTLS or SSL
      check box in the
      Certificates
      section, and copy and paste the domain controllers intermediate (if used) and root CA certificates into the
      SSL Certificate
      text box. Enter the intermediate CA certificate first, then the root CA certificate. Ensure that each certificate is in the PEM format and includes the BEGIN CERTIFICATE and END CERTIFICATE lines. If the domain controllers have certificates from multiple Intermediate and Root Certificate Authorities, enter all the Intermediate-Root CA certificate chains, one after another. If your Active Directory requires access over SSL/TLS and you do not provide the certificates, you cannot create the directory.
    • If you do not want to use DNS Service Location, verify that the
      Directory supports DNS Service Location
      check box is not selected and enter the Active Directory server host name and port number.
    Certificates
    If your Active Directory requires access over SSL/TLS, select the
    Directory requires all connections to use SSL
    check box in the
    Certificates
    section and copy and paste the domain controller's Intermediate (if used) and Root CA certificate into the
    SSL Certificate
    text box. Enter the Intermediate CA certificate first, then the Root CA certificate. Ensure that the certificate is in the PEM format and includes the BEGIN CERTIFICATE and END CERTIFICATE lines. If your Active Directory requires access over SSL/TLS and you do not provide the certificate, you cannot create the directory.
    Bind User Details
    • Base DN - Enter the DN to start account searches. For example, OU=myUnit,DC=myCorp, DC=com. The Base DN is used for authentication. Only users under the Base DN can authenticate. Ensure that the group DNs and user DNs that you specify later for sync are under this Base DN.
    • Bind User DN - Enter the account details. For example, CN=binduser,OU=myUnit,DC=myCorp, DC=com. Use a Bind user account with a non-expiring password.
    • Bind Password: Click
      Test Connection
      to verify that the directory can connect to your Active Directory.
  5. Click
    Create and Next
    .
    For Active Directory over LDAP, the domains are listed with a check mark.
  6. On the
    Domain Selection Detail
    tab, select the domain and click
    Next
    .
  7. To map the directory attribute to the Active Directory, on the
    Map Attribute
    tab, select the required attribute and click
    Save and Next
    .
  8. On the
    Group Selection
    tab, to sync from Active Directory to the
    VMware Workspace ONE Access
    directory specify the Group DN details and click
    Next
    .
    You can also select all the active directory groups that are already available in the list to sync to the directory.
    1. To select groups, click
      Add Group Distinguished Name
      , and specify one or more group DNs. Select the groups under them. Specify group DNs that are under the Base DN that you entered in the Base DN text box in the Add Directory page. If a group DN is outside the Base DN, users from that DN are synced but will not be able to log in.
    2. Click
      Find Groups
      . The
      Actions
      column lists the number of groups found in the DN. To select all the groups in the DN, click
      Select All
      , or click the number and select the specific groups to sync. When you sync a group, any users that do not have Domain Users as their primary group in Active Directory are not synced.
    3. Select the
      Sync Nested Group Members
      option.
  9. On the
    User Selection
    tab, enter the User DN details and click
    Next
    .
    Suite administrators is a user name in the Active Directory who acts as an Admin user for the deployed suite products, Logs, and AD table.
  10. Select the
    Sync Nested Group Members
    option and enter the
    Suite Administrators
    .
    When this option is enabled, all the users that belong directly to the group you select and all the users that belong to the nested groups under it are synced when the group is entitled. Note that the nested groups are not synced; only the users that belong to the nested groups are synced. In the
    VMware Workspace ONE Access
    directory, these users are members of the parent group that you selected for sync. If the
    Sync nested group members
    option is deactivated, when you specify a group to sync, all the users that belong directly to that group are synced. Users that belong to nested groups under it are not synced. Disabling this option is useful for large Active Directory configurations where traversing a group tree is resource and time-intensive. If you deactivate this option, ensure that you select all the groups whose users you want to sync.
  11. Click
    Save and Next
    . In
    User Selection
    page, click
    Add User
    and specify the users DNs to sync. Specify user DNs that are under the Base DN that you entered in the Base DN text box in the Add Directory page. If a user DN is outside the Base DN, users from that DN are synced but will not be able to log in. Click
    Save and Next
    .
  12. Review the
    Dry Run Check
    tab, read the summary, click
    Sync and Complete
    to start the sync to the directory. The connection to Active Directory are established, and users and group names are synced from the Active Directory to the
    VMware Workspace ONE Access
    directory.
  13. Click
    Submit
    .
  14. To edit, click the
    Edit
    icon on the specific active directory in the list of active directories. Any information added is appended to the configuration on
    VMware Workspace ONE Access
    . However, any removal through editing only removes the configuration from the
    VMware Aria Suite Lifecycle
    inventory and not from the
    VMware Workspace ONE Access
    .
  15. To delete, click the
    Delete
    icon on the specific active directory in the list of active directories. The delete action deletes the active directory only from the
    VMware Aria Suite Lifecycle
    inventory and not from
    VMware Workspace ONE Access
    .