Book Image

VMware vRealize Orchestrator Cookbook

By : Daniel Langenhan
Book Image

VMware vRealize Orchestrator Cookbook

By: Daniel Langenhan

Overview of this book

Related Content you might be interested in

Current Title:

Small book image
VMware vRealize Orchestrator Cookbook
Daniel Langenhan
Feb, 2015 | 382 pages
No titles found
Table of Contents (15 chapters)
VMware vRealize Orchestrator Cookbook
VMware vRealize Orchestrator Cookbook
Credits
Credits
Foreword
Foreword
About the Author
About the Author
About the Reviewers
About the Reviewers
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
Installing and Configuring Orchestrator
Installing and Configuring Orchestrator
Introduction
Getting Orchestrator running in 5 minutes (or less)
Deploying the Orchestrator appliance
Installing Orchestrator on Windows
Two ways to configure Orchestrator
Important Orchestrator base configurations
Configuring Orchestrator with an external LDAP or Active Directory
Integrating Orchestrator into SSO and vSphere Web Client
Configuring an external database
2
Optimizing Orchestrator Configuration
Optimizing Orchestrator Configuration
Introduction
Plugin basics
Tuning the appliance
Tuning Java
Backup and recovery
Creating an Orchestrator cluster
Configuring the Orchestrator Service SSL certificate
Configuring e-mail
Redirecting Orchestrator Syslog to an external Syslog server
Configuring the Kerberos authentication
Configuring access to the local filesystem
Updating Orchestrator
3
Visual Programming
Visual Programming
Introduction
Workflow basics
Version control
Working with logs
Error handling in workflows
Resuming failed workflows
Using the workflow debugging function
Working with decisions
Working with loops
Working with presentations
Working with configurations
Working with actions
Linking actions in presentations
Waiting tasks
Sending and waiting for custom events
Using asynchronous workflows
Working with user interactions
Changing credentials
4
Working with Plugins
Working with Plugins
Introduction
Working with the API
Working with mails
File operations
Working with SSH
Working with XML
Working with SQL
Working with PowerShell
Working with SOAP
Working with REST
Working with Active Directory
Working with SNMP
Working with AMQP
5
Basic Orchestrator Operations
Basic Orchestrator Operations
Introduction
Basic Orchestrator operations for Orchestrator elements
Changing elements in a workflow
Undelete workflows and actions
Importing and exporting Orchestrator elements
Synchronize Orchestrator elements between Orchestrator servers
Working with packages
User management
User preferences
Scheduling workflows
Workflow auto documentation
Orchestrator and vSphere Web Client
6
Advanced Operations
Advanced Operations
Introduction
Accessing the Orchestrator API via REST
Working with resources
Working with tags
Working with locks
Language packs (localization)
Working with policies
Managing remote Orchestrator
7
Working with VMware Infrastructure
Working with VMware Infrastructure
Introduction
Unmounting all the CD-ROMs of all VMs in a cluster
Provisioning a VM from a template
An approval process for VM provisioning
Working with the vCenter API (to change a VM's HA settings)
Standard vSwitch and Distributed Switch ports
Executing a program inside a VM
Configuring a vRA instance in Orchestrator
Configuring an external Orchestrator in vRA
Adding an Orchestrator endpoint
Integrating Orchestrator workflows in vRA
Managing AD users with vRA
Index
Index

Configuring Orchestrator with an external LDAP or Active Directory

In this recipe, we will configure Orchestrator with an external LDAP or Active Directory service. VMware best practice is to use Orchestrator together with SSO, which is described in the Integrating Orchestrator into SSO and vSphere Web Client recipe. This recipe doesn't work with the vRA-integrated Orchestrator.

Getting ready

You need a supported LDAP service configured and running. The following LDAP services are supported in vCO 5.5:

  • Windows Server 2008 Active Directory

  • Windows Server 2012 Active Directory

  • OpenLDAP

  • Novell eDirectory Server 8.8.3

  • Sun Java System Directory Server 6.3

We also need to create a group and a user in these services, so you should have access to these services.

You should be comfortable with using one of the methods described in the Two ways to configure Orchestrator recipe.

If your LDAP (AD) requires SSL (Kerberos), you will need to import the SSL certificate first (see the Important Orchestrator base configurations recipe in this chapter.

Tip

Changing the authentication might require changing the plugin credentials. For more details, see the Plugin basics recipe in Chapter 2, Optimizing Orchestrator Configuration.

How to do it...

We will focus on linking Orchestrator to AD. Connecting Orchestrator to LDAP is pretty much the same procedure; for anyone who understands LDAP, this will be a breeze.

AD is basically the same as LDAP but most Windows administrators have problems with the LDAP representation of AD, which is why we focus on AD in this recipe.

We will configure SSO in the Integrating Orchestrator into SSO and vSphere Web Client recipe.

Creating an Orchestrator Admin group and user

Before we can add an external LDAP, we need to configure at least one group and one user. To do this, perform the following steps:

  1. Log in to your LDAP or AD.

  2. Create an Orchestrator Administrator group and an Orchestrator Administrator user.

  3. Make the Orchestrator Administrator user a member of the Orchestrator Administrator group.

For this example, I have created a user called vcoadmin as well as a group called vcoadmins in AD. The AD domain is called mylab.local.

Tip

LDAP entries are always case-sensitive.

Again, we will show both methods.

Using the Orchestrator Configuration tool

  1. Open the Orchestrator Configuration tool.

  2. Click on the Authentication section.

  3. Select LDAP as the authentication method.

  4. In LDAP client, select Active Directory.

  5. In the Primary LDAP host field, enter mylab.local as the Active Domain DNS name.

  6. The standard port for Microsoft Active Directory LDAP is 389.

  7. Enter dc=mylab,dc=local as the root for your domain.

  8. If you have secured your AD with Kerberos, you need to activate SSL (don't forget to import the SSL certificate first).

  9. The username can be entered in both formats: user@Domain or domain\user. The user can be any active user within the AD; however, its best to use Orchestrator Admin.

  10. The user and group lookup base is easiest set to the root of your domain, for example, dc=mylab,dc=local. However, if your AD or LDAP is large, performance-wise it might be better to choose a different root.

  11. The Orchestrator Admin group path can be easily found. Enter the name of the group (case-sensitive) and click on Search to the right.

  12. If the name has been entered correctly, the path should be shown. Click on the LDAP path. The path is now populated with the correct setting.

  13. The rest of the settings can be left alone for most AD settings.

  14. Click on Apply changes.

  15. At this stage, you should try the test login described in the There's more... section of this recipe.

  16. Click on Startup Options and then restart the Orchestrator Server.

  17. Now, try to log in to the Orchestrator Client using the AD user.

Using the workflow

  1. Open the Orchestrator Client.

  2. Navigate to Library | Configuration | Authentication | LDAP.

  3. Right-click on the workflow Configure Active Directory and select Start Workflow.

  4. In the primary host, enter mylab.local as the Active Domain DNS name.

  5. The standard port for AD LDAP is 389.

  6. If you secured your AD with Kerberos, you need to activate SSL.

  7. Click on Next.

  8. Enter dc=mylab,dc=local as the root for your domain.

  9. The username can be entered as [email protected] or domain\user. The user can be any active user in the AD; however, its best to use Orchestrator Admin.

  10. The user and group lookup base is easiest set to the root of your domain, for example, dc=mylab,dc=local. However, if your AD or LDAP is large, it might be performance-wise better to choose a different root.

  11. The Orchestrator Admin group needs to be constructed, but there is no automated tool for it. We use the CN=vcoadmins,CN=Users,DC=MyLab,DC=local values.

  12. Click on Submit and wait until the workflow is successfully completed.

Sadly, there isn't a test to check whether your settings are correct as there is with the Configuration tool. Have a look at the test login described in the There's more... section of this recipe.

There is no workflow to restart Orchestrator Server, so you have to restart the Orchestrator Server another way:

  • In Windows, use services (vCenter Orchestrator Server)

  • In Linux, use the services command from the OS or use the Orchestrator Configurator (see the Tuning the appliance recipe in Chapter 2, Optimizing Orchestrator Configuration)

  • Reboot the Orchestrator Server

Now, try to log in to the Orchestrator Client using the AD user.

How it works...

Configuring Orchestrator to work with an external authentication enables AD users to log in to the Orchestrator Client. The alternative would be either having only one user using it or adding users to the embedded LDAP. However, for a production Orchestrator, the embedded LDAP solution is not viable. As SSO is now a highly integrated part of vSphere, using Orchestrator with AD (or LDAP) isn't really such a good solution any longer. SSO can proxy multiple AD and/or LDAP domains and lets you integrate Orchestrator directly into vCenter as well as other corner pieces of VMware software offerings, making SSO integration the better choice for the future.

In the recipe above, we used the domain DNS address as the primary LDAP host rather than an individual AD server. The DNS entry for AD will forward the LDAP query to the next available AD server, which makes it a more reliable choice.

There's more...

There are some things you should be aware of when working with LDAP.

Test login

In order to find out whether everything is working as it should, we need to test it. However, there is no workflow for this, so you have to trust your entries or use the Configuration tool.

  1. Using the Orchestrator Configuration tool, click on Authentication.

  2. Click on the Test Login tab.

  3. Enter the Orchestrator Admin username and its password and click on Test Login.

  4. Read the message carefully. It should be green and confirm that you can log in and that the user is part of the Orchestrator Admin group.

A red message mostly indicates that the user provided isn't in the LDAP or that the password is wrong.

If the message doesn't confirm an Orchestrator Admin group membership, review the membership of the user account.

Common LDAP errors

When you encounter a problem while setting up LDAP, you will get an error code. This table shows the most commonly encountered error codes:

Code

Meaning

What to do

525

User not found

The user for login isn't found; check whether you have written the domain correctly.

52e

Password is incorrect

Change the password in the password field.

530

531

The User is not allowed to log in

Access LDAP or AD and make sure that the user is allowed to log in remotely and from Orchestrator Server.

532

Password expired

Access LDAP or AD and set a new password.

533

Account disabled

Access LDAP or AD and enable the account.

701

Account expired

Access LDAP or AD and create a new account or use a different user.

773

Must reset password

The User has to reset the password on login. Access LDAP or AD to set a new password or use other methods to set a new password.

775

User locked

Access LDAP or AD and unlock the user account.

See also

See the Integrating Orchestrator into SSO and vSphere Web Client recipe in this chapter to learn how to configure Orchestrator with VMware SSO.

Previous Section
End of Section 8
Next Section