The following article describes how to connect a complete reinstallation of the OpenLDAP directory service to an existing VMware vRealize Automation (vRA) installation.

The setup of OpenLDAP is done by a web interface for easier administration (see below).

For this Article I decided to provide the OpenLDAP server via a Docker container, as well as the previously mentioned web interface.

OpenLDAP: https://github.com/osixia/docker-openldap

Webinterface: https://github.com/osixia/docker-phpLDAPadmin

The following versions were used during the installation.

 Version
AppliancevRealize Automation 7.5.0
IaaSWindows Server 2008 R2
SQL ServerMicrosoft SQL Express 2014
OpenLDAP2.4.47

 

Instructions

  1. Minimal configuration of OpenLDAP
    1. Creating Organisational Units
    2. Create users and groups
  2. Configuration in vRealize Automation
    1. Add a new directory
    2. Troubleshooting using the Sync Log

Minimal configuration of OpenLDAP

Creating Organisational Units

It is recommended to create at least the following Organisational Units (ou).

  • groups
  • users

Procedure

  1. Start by clicking on Create new Entry in the left sidebar.
  2. By selecting Generic: Organisational Unit, an Organisational Unit can be created and a name can be assigned.
  3. Click Create Object.
  4. Confirm the configuration by clicking on Commit.

After completing the above mentioned steps, the following configuration should be available.

Create users and groups

Procedure (Create Users)

  1. Start by clicking on the previously created Organisational Unit users.
  2. Click Create a child entry
  3. By selecting Default a custom object can be created.
  4. Select inetOrgPerson from the list of ObjectClasses.
  1. Click Proceed >>.
  2. Select cn from the selection list under RDN and complete the values under Required Attributes with your own.
  3. Under Optional Attributs own values can be added as desired.
  1. Click on Create Object.
  2. Confirm the configuration by clicking on Commit.

After completing the above mentioned steps, the following configuration should be available.

Procedure (Create Groups)

  1. Start by clicking on the previously created Organisational Unit users.
  2. Click on Create a child entry
  3. By selecting Default a custom object can be created.
  4. Select groupOfUniqueNames from the list of ObjectClasses.
  1. Click Proceed >>.
  2. Select cn from the selection list under RDN and add a Groupname (cn) under Required Attributes.
  3. In the uniqueMember field, our previously created user is assigned to the group.
  4. Under Optional Attributs own values can be added as desired.
  1. Confirm the configuration by clicking on Commit.

Add users to a group afterwards

  1. In the left sidebar, select the desired group to which the user should be assigned.
  2. Under the attribute memberOf a user can be added by clicking on add value.
  3. Finally, click Update Object.

Configuration in vRealize Automation

Add a new Directory

Precondition

  • logged in as vRA tenant administrator

Procedure

  1. Choose Administration > Directories Management Directories.
  2. Click on Add Directory and choose add LDAP Directory.
  3. Select a Directory Name and replace the values Server Host and Server Port under Server Location with your own.
  1. Under LDAP Configuration the following values must be configured for the filter queries.
  1. Under Bind User Details the following values must be added and the Bind User Password must be replaced by the administrator password set during the OpenLDAP installation.
  1. Check the connection with a click on the button “Test Connection” (attention, the base DN is not checked in this Step).
  2. Click Save & Next to save the configuration and proceed to the next step.
  3. The domain under Select Domains should be recognized automatically and can be confirmed with Next.
  4. The mapping under Map User Attributes is not necessary by default and can also be confirmed with Next.
  5. Next, individual groups can be selected for the synchronization using the button Select. We select the checkbox Select All to synchronize all found groups and confirm with Next.
  1. At this point Distinguished Names (DNs) of individual users can be selected. We choose the Domain Component (dc) to synchronize all users and confirm with Next.
  1. Complete the configuration by clicking on Sync Directory.

The following import status should now be visible under Administration > Directories Management > Directories.

Under Administration > Users & Groups > Directory Users and Groups the created user should now be found by using the search.

Troubleshooting using the Sync Log

An incorrect configuration can cause that vRA display the following error message.

Problem:

For demonstration purposes, an incorrect base DN was specified in the directory configuration.
It follows the above error message – “Got failed response from connector.”

This error message makes it impossible to uniquely identify the error, troubleshooting is very difficult.

Solution:

  1. Navigate to Administration > Directories Management > Directories and select the affected directory.
  2. Click on Sync Settings.
  1. Navigate to Sync Settings > Sync Frequency. Configure a Frequency of “Every 15 Minutes”. Alternatively, another frequency can be set.
  1. Click Save & Sync.
  2. Navigiere zu Administration > Directories Management > Directories and select the affected directory.
  3. Under the Sync Log Tab, a more detailed error message should appear after expiration of the previously configured frequency.
  1. After eliminating the errors, the Sync Frequency should be reset to normal value.

Further information can also be found in connector.log, which is located on the vRA appliance – /var/log/vmware/horizon/connector.log

For further questions, please do not hesitate to contact me in the comments. (smile)