Add an Identity Source to the SDDC LDAP Domain

The first step toward configuring Hybrid Linked Mode from your SDDC is to add your on-premises LDAP domain as an identity source for the SDDC
.
Ensure that you meet the Common Prerequisites in Prerequisites for Configuring Hybrid Linked Mode.
You can configure Hybrid Linked Mode from your SDDC if your on-premises LDAP service is provided by a native Active Directory (Integrated Windows Authentication) domain or an OpenLDAP directory service.
If you are using OpenLDAP as the identity source, see the VMware knowledge base article at http://kb.vmware.com/kb/2064977 for additional requirements.
  1. Log in to the
    for your SDDC.
    To add an identity source, you must be logged in as cloudadmin@vmc.local or another member of the cloud administrators group.
  2. Open the
    Add Identity Source
    dialog box.
    Use case
    Description
    Hybrid Linked Mode
    1. Select
      Menu
      Administration
      .
    2. Under
      Hybrid Cloud
      , select
      Linked Domains
      .
    3. Under
      Add Cloud Administrator
      , select
      Add Identity Source
      from the
      Identity Source
      drop-down menu.
    All other use cases
    1. Select
      Menu
      Administration
      .
    2. Under
      Single Sign On
      , click
      Configuration
      .
    3. Click
      Identity Sources
      and click
      Add
      .
  3. Configure the identity source settings.
    Option
    Description
    Identity Source Type
    Select
    Active Directory as an LDAP Server
    to use a Windows Active Directory Server or
    OpenLDAP
    to use an OpenLDAP server.
    Name
    Enter the name of the identity source.
    Base DN for users
    Enter the Base Distinguished Name for users.
    Base DN for groups
    Enter the Base Distinguished Name for groups.
    Domain Name
    FQDN of the domain. Do not enter an IP address here.
    Domain Alias
    Enter an alias for the domain.
    For Active Directory identity sources, the domain's NetBIOS name. Add the NetBIOS name of the Active Directory domain as an alias of the identity source if you are using SSPI authentications.
    Username
    Enter the ID of a user in the domain who has a minimum of read-only access to Base DN for users and groups. Use UPN format (for example, user@example.com), rather than DN format.
    Password
    Enter the password of the user who is specified by
    Username
    .
    Connect To
    Select which domain controller to connect to.
    • Select
      Any domain controller in the domain
      to connect to any domain controller.
    • Select
      Specific domain controllers
      to specify the domain controllers.
    If you select
    Specific domain controllers
    , specify the URL for the primary server and the secondary server used for failover. Use the format ldap://hostname:port or ldaps://hostname:port. The port is typically 389 for ldap: connections and 636 for ldaps: connections. For Active Directory multi-domain controller deployments, the port is typically 3268 for ldap: connections and 3269 for ldaps: connections.
    SSL Certificates
    If you use ldaps:, select
    Browse
    and select a certificate file to upload to provide security for the ldaps: connection. Certificates can be exported in several formats. Be sure to export the format supported by the
    Identity Source Type
    you've chosen.
When the identity source is added, on-premises users can authenticate to the SDDC, but have the
No access
role. Add permissions for a group of users to give them the cloud administrator role.