Add an Identity Source to the SDDC LDAP
DomainLast Updated January 23, 2025
The first step toward configuring
Hybrid Linked Mode from your SDDC is to add your on-premises LDAP domain as an identity
source for the SDDC
vCenter
Server
. Ensure that you meet the Common Prerequisites
in Prerequisites for Configuring Hybrid Linked Mode.
You can configure Hybrid Linked Mode from
your SDDC if your on-premises LDAP service is provided by a native Active Directory
(Integrated Windows Authentication) domain or an OpenLDAP directory service.
If you are using OpenLDAP as the identity
source, see the VMware knowledge base article at http://kb.vmware.com/kb/2064977 for additional requirements.
- Log in to thevSphere Clientfor your SDDC.To add an identity source, you must be logged in as cloudadmin@vmc.local or another member of the cloud administrators group.
- Open theAdd Identity Sourcedialog box.Use caseDescriptionHybrid Linked Mode
- Select .
- UnderHybrid Cloud, selectLinked Domains.
- UnderAdd Cloud Administrator, selectAdd Identity Sourcefrom theIdentity Sourcedrop-down menu.
All other use cases- Select .
- UnderSingle Sign On, clickConfiguration.
- ClickIdentity Sourcesand clickAdd.
- Configure the identity source settings.OptionDescriptionIdentity Source TypeSelectActive Directory as an LDAP Serverto use a Windows Active Directory Server orOpenLDAPto use an OpenLDAP server.NameEnter the name of the identity source.Base DN for usersEnter the Base Distinguished Name for users.Base DN for groupsEnter the Base Distinguished Name for groups.Domain NameFQDN of the domain. Do not enter an IP address here.Domain AliasEnter an alias for the domain.For Active Directory identity sources, the domain's NetBIOS name. Add the NetBIOS name of the Active Directory domain as an alias of the identity source if you are using SSPI authentications.UsernameEnter the ID of a user in the domain who has a minimum of read-only access to Base DN for users and groups. Use UPN format (for example, user@example.com), rather than DN format.PasswordEnter the password of the user who is specified byUsername.Connect ToSelect which domain controller to connect to.
- SelectAny domain controller in the domainto connect to any domain controller.
- SelectSpecific domain controllersto specify the domain controllers.
If you selectSpecific domain controllers, specify the URL for the primary server and the secondary server used for failover. Use the format ldap://hostname:port or ldaps://hostname:port. The port is typically 389 for ldap: connections and 636 for ldaps: connections. For Active Directory multi-domain controller deployments, the port is typically 3268 for ldap: connections and 3269 for ldaps: connections.SSL CertificatesIf you use ldaps:, selectBrowseand select a certificate file to upload to provide security for the ldaps: connection. Certificates can be exported in several formats. Be sure to export the format supported by theIdentity Source Typeyou've chosen.
When the identity source is added,
on-premises users can authenticate to the SDDC, but have the
No access
role. Add
permissions for a group of users to give them the cloud administrator role.