Add Active Directory over LDAP
Using
VMware Aria
Suite Lifecycle
, you can create an Active Directory over
LDAP directory type to connect to a single Active Directory domain environment. For the
Active Directory over LDAP directory type, the connector uses a simple bind authentication. - List the Active Directory groups and users to sync from Active Directory.
- Verify that you have specified the required default attributes and add additional attributes on the User Attributes definition.
- Verify that you have the required user credentials to add a directory.
- ClickIdentity and Tenant Managementon theMy Servicesdashboard.
- On theDirectory Managementtab, clickDirectories.
- ClickAdd Directoryand selectAdd Active Directory Over LDAP.
- Enter the following information by using theDirectory Detailtab:FieldsDescriptionDirectory InformationEnter a valid directory name.Directory Sync and AuthenticationSelect the connector to sync with Active Directory. Connector is aVMware Workspace ONE Accessservice component that synchronizes users and group data between Active Directory andVMware Workspace ONE Accessservice.When used as an identity provider, it also authenticates users. EachVMware Workspace ONE Accessappliance node contains a default connector component. When required a dedicated connector can also be deployed through a global environment scale-out.Authentication EnabledIf you want the connector to perform authentication, selectYes.You can indicate whether the selected connector also performs authentication. If you are using a third-party identity provider to authenticate users, clickNo.Directory Search AttributeSelect an account attribute from the drop-down menu that contains a user name.Server LocationSelectDirectory supports DNS Service Locationcheck box.
- If your Active Directory requires access over SSL/TLS, select theDirectory requires all connections to use STARTTLS or SSLcheck box in theCertificatessection, and copy and paste the domain controllers intermediate (if used) and root CA certificates into theSSL Certificatetext box. Enter the intermediate CA certificate first, then the root CA certificate. Ensure that each certificate is in the PEM format and includes the BEGIN CERTIFICATE and END CERTIFICATE lines. If the domain controllers have certificates from multiple Intermediate and Root Certificate Authorities, enter all the Intermediate-Root CA certificate chains, one after another. If your Active Directory requires access over SSL/TLS and you do not provide the certificates, you cannot create the directory.
- If you do not want to use DNS Service Location, verify that theDirectory supports DNS Service Locationcheck box is not selected and enter the Active Directory server host name and port number.
CertificatesIf your Active Directory requires access over SSL/TLS, select theDirectory requires all connections to use SSLcheck box in theCertificatessection and copy and paste the domain controller's Intermediate (if used) and Root CA certificate into theSSL Certificatetext box. Enter the Intermediate CA certificate first, then the Root CA certificate. Ensure that the certificate is in the PEM format and includes the BEGIN CERTIFICATE and END CERTIFICATE lines. If your Active Directory requires access over SSL/TLS and you do not provide the certificate, you cannot create the directory.Bind User Details- Base DN - Enter the DN to start account searches. For example, OU=myUnit,DC=myCorp, DC=com. The Base DN is used for authentication. Only users under the Base DN can authenticate. Ensure that the group DNs and user DNs that you specify later for sync are under this Base DN.
- Bind User DN - Enter the account details. For example, CN=binduser,OU=myUnit,DC=myCorp, DC=com. Use a Bind user account with a non-expiring password.
- Bind Password: ClickTest Connectionto verify that the directory can connect to your Active Directory.
- ClickCreate and Next.For Active Directory over LDAP, the domains are listed with a check mark.
- On theDomain Selection Detailtab, select the domain and clickNext.
- To map the directory attribute to the Active Directory, on theMap Attributetab, select the required attribute and clickSave and Next.
- On theGroup Selectiontab, to sync from Active Directory to theVMware Workspace ONE Accessdirectory specify the Group DN details and clickNext.You can also select all the active directory groups that are already available in the list to sync to the directory.
- To select groups, clickAdd Group Distinguished Name, and specify one or more group DNs. Select the groups under them. Specify group DNs that are under the Base DN that you entered in the Base DN text box in the Add Directory page. If a group DN is outside the Base DN, users from that DN are synced but will not be able to log in.
- ClickFind Groups. TheActionscolumn lists the number of groups found in the DN. To select all the groups in the DN, clickSelect All, or click the number and select the specific groups to sync. When you sync a group, any users that do not have Domain Users as their primary group in Active Directory are not synced.
- Select theSync Nested Group Membersoption.
- On theUser Selectiontab, enter the User DN details and clickNext.Suite administrators is a user name in the Active Directory who acts as an Admin user for the deployed suite products, Logs, and AD table.
- Select theSync Nested Group Membersoption and enter theSuite Administrators.When this option is enabled, all the users that belong directly to the group you select and all the users that belong to the nested groups under it are synced when the group is entitled. Note that the nested groups are not synced; only the users that belong to the nested groups are synced. In theVMware Workspace ONE Accessdirectory, these users are members of the parent group that you selected for sync. If theSync nested group membersoption is deactivated, when you specify a group to sync, all the users that belong directly to that group are synced. Users that belong to nested groups under it are not synced. Disabling this option is useful for large Active Directory configurations where traversing a group tree is resource and time-intensive. If you deactivate this option, ensure that you select all the groups whose users you want to sync.
- ClickSave and Next. InUser Selectionpage, clickAdd Userand specify the users DNs to sync. Specify user DNs that are under the Base DN that you entered in the Base DN text box in the Add Directory page. If a user DN is outside the Base DN, users from that DN are synced but will not be able to log in. ClickSave and Next.
- Review theDry Run Checktab, read the summary, clickSync and Completeto start the sync to the directory. The connection to Active Directory are established, and users and group names are synced from the Active Directory to theVMware Workspace ONE Accessdirectory.
- ClickSubmit.
- To edit, click theEditicon on the specific active directory in the list of active directories. Any information added is appended to the configuration onVMware Workspace ONE Access. However, any removal through editing only removes the configuration from theVMware Aria Suite Lifecycleinventory and not from theVMware Workspace ONE Access.
- To delete, click theDeleteicon on the specific active directory in the list of active directories. The delete action deletes the active directory only from theVMware Aria Suite Lifecycleinventory and not fromVMware Workspace ONE Access.