The main benefit of using LDAP is that you can use it to provide a directory of users and groups to import into an organization. Otherwise, you have to create a user account for each user in the organization. However, it is limited to the system administrator only, that says, an organization admin cannot modify this. A system administrator can set the LDAP in such a way that each organization will have its own LDAP configuration. They should import users and groups into the organization and assign roles before they can be used.
Another good part here is that with the release of vCloud Director 5.1, it supports importing users from VMware vCenter Single Sign-On. A Single Sign-on, also known as SSO capability, is where a user can have a single user ID and password that works throughout the system. vCloud Director provides SSO by integrating either LDAP or vCenter SSO identity. It is a system administrator's job to import users from LDAP or vCenter SSO as vCloud Director does not import users automatically.
Note
vCloud Director does not support hierarchical domains in LDAP. Also, vCloud Director cannot modify the information in an LDAP directory.
vCloud Director does not import users' passwords from external LDAP systems. Instead, vCloud Director will confirm that a password is correct when a user logs in by checking the supplied hashed password against the hashed password currently stored in the LDAP directory.
vCloud Director has the ability to use LDAP at both the system level and the organization level. At the system level, you can either connect to an external LDAP system or create and use users who are internal to vCloud Director. You can use an external LDAP system to bring in users, but VMware recommends that you create at least one system user, which is only internal. The existence of at least one internally defined system administrator allows you to log in to your vCloud Director console even if the LDAP system is offline.
There are two ways to log in to the LDAP server. One is simple authentication and the other one is with Kerberos authentication. Simple authentication is, well, simple. However, Kerberos is a ticket-based system of client and server authentication. In Kerberos, both parties must prove their identity to each other. Kerberos uses symmetric key cryptography and can also leverage public key cryptography. If you are using Kerberos authentication, you must add a Kerberos realm to the vCloud Director Server first.
Note
If you use simple authentication without at least combining it with SSL, the user ID (DN) and the password are sent in clear text on the network.
In order to use SSL, you must select it. You must then determine whether you will automatically accept all the certificates, or you will insist on browsing to a specific certificate. Using all certificates is much easier to configure. If your LDAP server has a certificate, it is accepted automatically. The use of SSL also provides an encrypted password exchange with the LDAP server. But the certificate from the LDAP server must be located on your system (the one the vCloud Director console is running from) and you must know the location of your SSL keystore file and have the password.
At the organization level, vCloud Director presents the following three options:
Do not use LDAP. In this case, all the users in this organization are internally defined in the vCloud Director system.
Use the vCloud Director system LDAP service. The organization leverages the LDAP service that has been configured at the system level. In order to leverage the system-defined LDAP, all the organization users must be defined in the same Organization Unit (OU) in the LDAP database.
Use a custom LDAP server. A custom LDAP server allows an organization to use its own LDAP service. VMware recommends the use of custom LDAP servers in public cloud implementations.
vCloud Director system administrators are authenticated by the vSphere identity provider when you use vCenter SSO. However, as a prerequisite, vCenter SSO must be configured in vSphere. vSphere Lookup Service must be registered in the vCloud Director Administration tab under Federation. vCloud Director should also be configured with the vSphere Lookup Service URL. vCloud Director system administrator users must be imported (either as a user or a group) from the vSphere identity provider. Only vCloud Director's system administrator users can be authenticated through vCenter SSO.
