Difference between revisions of "Cool Solution - Use VMware Single Sign-On with UCS"

From Univention Wiki

Jump to: navigation, search
 
(13 intermediate revisions by 4 users not shown)
Line 1: Line 1:
{{Review-Status}} {{Cool Solutions Disclaimer}} {{Version|UCS=3.1}}  
+
{{Version|UCS=4.1}}
 +
{{Cool Solutions Disclaimer|Repository=no}}
 +
{{#seo:
 +
|title={{#replace:{{#replace:{{#replace:{{#replace:{{FULLPAGENAME}}|'|'}}|&|&}}|"|"}}|Cool Solution - |}} - {{SITENAME}}
 +
<!--|description=-->
 +
}}
  
=== Introduction  ===
+
VMware vSphere 6.0 provides Single Sign-On through a VMware vCenter instance. VMware Single Sign-On expects Microsoft Active Directory as so-called "Identity Source", but is also able to use other types of user repositories. This article describes how to use UCS 4.1 with Samba 4 instead of Microsoft Active Directory.
  
VMware vSphere 5.1 provides Single Sign-On throughout a VMware vCenter instance. VMware Single Sign-On expects Microsoft Active Directory as so-called "Identity Source", but is also able to use other types of user repositories. This article describes how to use UCS 3.1 / Samba 4 instead of Microsoft Active Directory.
+
{{TOC}}
  
=== Prerequisites  ===
+
== Prerequisites  ==
  
Depending on the size of the environment the number of UCS, Windows and VMware ESXi Hypervisor hosts may vary. Let's assume the following minimum configuration:  
+
Depending on the size of the environment the number of UCS, Windows and VMware ESXi Hypervisor hosts may vary. Let's assume the following minimum configuration:
  
*1 UCS 3.1 Domain Controller Master with Samba 4  
+
*1 UCS 4.1 Domain Controller Master with Samba 4
*1 Windows Server, member of the UCS 3.1/Samba 4 domain with the following VMware vSphere 5.1 components installed:<br>&nbsp; &nbsp; &nbsp; &nbsp; VMware vCenter Single Sign On<br>&nbsp; &nbsp; &nbsp; &nbsp; VMware vCenter Inventory Service<br>&nbsp; &nbsp; &nbsp; &nbsp; VMware vCenter Server<br>&nbsp; &nbsp; &nbsp; &nbsp; VMware vSphere Client<br>&nbsp; &nbsp; &nbsp; &nbsp; VMware vSphere Web Client  
+
*1 Windows Server, member of the UCS 4.1/Samba 4 domain with the following VMware vSphere 6.0 components installed:
 +
**&nbsp; &nbsp; &nbsp; &nbsp; VMware vCenter Single Sign On<br>
 +
**&nbsp; &nbsp; &nbsp; &nbsp; VMware vCenter Inventory Service<br>
 +
**&nbsp; &nbsp; &nbsp; &nbsp; VMware vCenter Server<br>
 +
**&nbsp; &nbsp; &nbsp; &nbsp; VMware vSphere Client<br>
 +
**&nbsp; &nbsp; &nbsp; &nbsp; VMware vSphere Web Client
 
*1 VMware ESXi Hypervisor Host [optional, but reasonable]
 
*1 VMware ESXi Hypervisor Host [optional, but reasonable]
  
=== Known Issues ===
+
== Configuration of VMware vCenter Single Sign-On ==
  
During the installation of VMware vCenter on the Windows Server the following warning might appear:  
+
Start "VMware vSphere Web Client" on the Windows Server or open your vSphere-Client-URL in your browser (usually https://<your-vCenter-server>:9443/vsphere-client).<br>
 +
Log in with your "administrator@<system-domain>"-Account (by default "administrator@vsphere.local") that was created during installation of vCenter.
  
''Warning 29155: The identity source was not identified automatically.''
+
[[Image:VMware 02 open VMware vSphere WebClient.png|500px|VMware vSphere Web Client]]<br>
  
This warning can be ignored. The identity source will be added manually after the installation finished.  
+
'''Note:''' You need to use "administrator@<system-domain>". Any other account won't be able to add "Identity Sources" at this point. So make sure, that the account is not disabled or deleted.
  
=== Configuration of VMware vCenter Single Sign-On  ===
 
  
Start "VMware vSphere Web Client" on the Windows Server or open your vSphere-Client-URL in your browser (usually https://your-vCenter-server:9443/vsphere-client).<br>Log in with your "admin@System-Domain"-Account that was created during installation of vCenter.  
+
Now go to ''Administration'' → ''Single Sign-On'' → ''Configuration'' → ''Identity Sources'' and add a new "Identity Source" (+).
  
[[Image:VMware 02 open VMware vSphere WebClient.png|500px|VMware vSphere Web Client]]<br>  
+
[[Image:VMware 03 WebClient Administration.png|Administration]]&nbsp; &nbsp; &nbsp;[[Image:VMware 04 WebClient Add Identity Source.png|Add Identity Source]]&nbsp; &nbsp; &nbsp;<br>
  
'''Note:''' You need to use "admin@System-Domain". Any other account won't be able to add "Identity Sources" at this point. So make sure the account is not disabled or deleted.
+
<br>
  
Go to ''Administration'' → ''Sign-On and Discovery'' → ''Configuration'' → ''Identity Sources'' and add a new "Identity Source" (+).
+
A new window will open up. Select ''Active Directory as an LDAP Server'' and enter the desired information:
  
<br>
+
*Name: a name for this "Identity Source"
 +
*Base DN for users: the distinguished name (DN) base for the ldap-server users
 +
*Domain name: The fully qualified domain name (FQDN)
 +
*''(Optional)'' Domain alias: the NetBIOS name of the domain
 +
*Base DN for groups: usually the same as the base DN for users
 +
*Primary server URL: consisting of Protocol, DC Master FQDN and LDAP-Port (e.g. ldap://ucs-master.example.com:389 or ldaps://usc-master.example.com:636)
 +
*''(Optional)'' Secondary server URL: recommended when there's a DC Backup
  
[[Image:VMware 03 WebClient Administration.png|300px|Administration]]&nbsp; &nbsp; &nbsp;[[Image:VMware 04 WebClient Add Identity Source.png|300px|Add Identity Source]]&nbsp; &nbsp; &nbsp;<br>
+
*Username: domain user with right to read LDAP in DN format
 +
*Password: for the above user
  
<br>
+
'''Note:''' the certificate needed when using LDAP over SSL can be found on the homepage of your UCS master server while not logged in. Click on the ''Administration'' tab, then right-click ''Root certificate'' and select "Save Link As..." to download it. You now have to rename the file extension from ''crt'' to ''cer'', before importing it to vCenter via the "Choose Certificate..." button.
  
A new window will open up. Select ''Active Directory'' and enter the desired information:
 
  
*a name for this "Identity Source" (e.g. UCS3-SAMBA4)
+
[[Image:Identity source.png|500px|Identity Source configuration]]
*primary ldap-URL consisting of DC Master FQDN or IP adress and LDAP-Port (e.g. ldap://ucs-master.example.com:389)
 
*''Optional:'' secondary LDAP Server, recommended when there's a DC Backup
 
*Domain name (e.g. example.com)
 
*Domain alias, which is the NetBIOS name of the domain (e.g. EXAMPLE)
 
*Authentication Type: Password
 
*Username: PrivilegedUser@example.com (domain user with right to read LDAP)
 
*Password of the above user
 
  
<br>
 
  
[[Image:VMware 05 WebClient Edit Identity Source.png|500px|Identity Source configuration]]
+
The users are now able to log in with their credentials:  
  
<br>  
+
*username@<FQDN of domain> (e.g. username@example.com)
 +
*domain-user's password
  
Change to ''Administration'' → ''Access'' → ''SSO Users and Groups'' → Open ''Groups'' → Add a new group (e.g. ''VMware Domain Admins'') → Select this group and click ''Add Principals''
+
While using the VMware vSphere Client (not the Web Client), users can also now select "Use Windows session credentials", when logged into the Windows Server with their account.<br>
 +
Note though, that they won't be able to see/manage anything without giving them the permissions to do so.<br>
 +
For that, you can either assign them global rights or only rights for specific servers.<br>
  
[[Image:VMware 06 WebClient Add Group.png|300px|Add group]]&nbsp; &nbsp; &nbsp;&nbsp; &nbsp; &nbsp;[[Image:VMware 08 WebClient Add Principals.png|400px|Add principals]]
+
=== Permissions ===
  
<br> &nbsp;A new window opens up: Select the "Identity Source" we added before (e.g. example.com) and search for your desired LDAP-group (e.g. ''Domain Admins''), then click ''Add'' and ''OK''.  
+
To set global permissions, just navigate to ''Administration'' -> ''Access Control'' -> ''Global Permissions'' and click on "Add permission" (+).<br>
 +
Here you can assign roles (right) to users and groups you add on the left side. You can create new roles under ''Administration'' -> ''Access Control'' -> ''Roles'', if you don't want to work with the default ones.
  
[[Image:VMware 09 WebClient Edit Principals.png|500px|Principals]]
+
The same can be done for each inventory object. For this, you have to browse to the page of the object and open their "Permissions" page.
 +
An example would be ''Hosts and Clusters'' -> ''<FQDN of this server>'' -> ''Manage'' -> ''Permissions''.
 +
Here you can set permissions the same way you can globally.
  
<br>
+
[[Image:VMware 06 WebClient Add Permissions.png|400px|Permissions]]
  
The chosen users/groups are now able to log in with their credentials:
+
Please consult the vCenter documentation linked below, if you need more detailed information on how to set permissions.
  
*username@example.com  
+
== Further Links ==
*domain-user password
+
*vSphere Permissions and User Management Tasks - https://pubs.vmware.com/vsphere-60/index.jsp#com.vmware.vsphere.security.doc/GUID-5372F580-5C23-4E9C-8A4E-EF1B4DD9033E.html
 +
*Using Roles to Assign Privileges - https://pubs.vmware.com/vsphere-60/index.jsp#com.vmware.vsphere.security.doc/GUID-18071E9A-EED1-4968-8D51-E0B4F526FDA3.html
 +
*Add a Global Permission - https://pubs.vmware.com/vsphere-60/index.jsp#com.vmware.vsphere.security.doc/GUID-1CE39F3C-0BC5-4CDC-9D62-D8F90644880D.html
 +
*Add a Permission to an Inventory Object - https://pubs.vmware.com/vsphere-60/index.jsp#com.vmware.vsphere.security.doc/GUID-A0F6D9C2-CE72-4FE5-BAFC-309CFC519EC8.html
  
<br>
+
[[Category:3rd Party]]
 
 
While using the VMware vSphere Client (not the Web Client), users can now select "Use Windows session credentials".
 
 
 
[[Image:VMware 99 VMware vSphere Client.png|400px|VMware vSphere Client]]  
 
 
 
<br> '''Note''': If a user password is changed or the user is disabled/deleted in your LDAP, this will '''not''' affect an active session in VMware vSphere (Web) Client. The changes will have an effect on the next login.
 
 
 
'''Note''': Don't forget to add the right to manage a vCenter server (or single VMs) for the users. This can be done via vCenter → ''your vCenter server'' → ''Manage'' → ''Permissions'' → ''Add permission''. Otherwise the users will be able to log in, but won't see any vServers, Datacenters or Hosts.
 

Latest revision as of 14:07, 8 September 2017

Produktlogo UCS Version 4.1

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

Also regard the legal notes at Terms of Service.

VMware vSphere 6.0 provides Single Sign-On through a VMware vCenter instance. VMware Single Sign-On expects Microsoft Active Directory as so-called "Identity Source", but is also able to use other types of user repositories. This article describes how to use UCS 4.1 with Samba 4 instead of Microsoft Active Directory.

Prerequisites

Depending on the size of the environment the number of UCS, Windows and VMware ESXi Hypervisor hosts may vary. Let's assume the following minimum configuration:

  • 1 UCS 4.1 Domain Controller Master with Samba 4
  • 1 Windows Server, member of the UCS 4.1/Samba 4 domain with the following VMware vSphere 6.0 components installed:
    •         VMware vCenter Single Sign On
    •         VMware vCenter Inventory Service
    •         VMware vCenter Server
    •         VMware vSphere Client
    •         VMware vSphere Web Client
  • 1 VMware ESXi Hypervisor Host [optional, but reasonable]

Configuration of VMware vCenter Single Sign-On

Start "VMware vSphere Web Client" on the Windows Server or open your vSphere-Client-URL in your browser (usually https://<your-vCenter-server>:9443/vsphere-client).
Log in with your "administrator@<system-domain>"-Account (by default "administrator@vsphere.local") that was created during installation of vCenter.

VMware vSphere Web Client

Note: You need to use "administrator@<system-domain>". Any other account won't be able to add "Identity Sources" at this point. So make sure, that the account is not disabled or deleted.


Now go to AdministrationSingle Sign-OnConfigurationIdentity Sources and add a new "Identity Source" (+).

Administration     Add Identity Source     


A new window will open up. Select Active Directory as an LDAP Server and enter the desired information:

  • Name: a name for this "Identity Source"
  • Base DN for users: the distinguished name (DN) base for the ldap-server users
  • Domain name: The fully qualified domain name (FQDN)
  • (Optional) Domain alias: the NetBIOS name of the domain
  • Base DN for groups: usually the same as the base DN for users
  • Primary server URL: consisting of Protocol, DC Master FQDN and LDAP-Port (e.g. ldap://ucs-master.example.com:389 or ldaps://usc-master.example.com:636)
  • (Optional) Secondary server URL: recommended when there's a DC Backup
  • Username: domain user with right to read LDAP in DN format
  • Password: for the above user

Note: the certificate needed when using LDAP over SSL can be found on the homepage of your UCS master server while not logged in. Click on the Administration tab, then right-click Root certificate and select "Save Link As..." to download it. You now have to rename the file extension from crt to cer, before importing it to vCenter via the "Choose Certificate..." button.


Identity Source configuration


The users are now able to log in with their credentials:

  • username@<FQDN of domain> (e.g. username@example.com)
  • domain-user's password

While using the VMware vSphere Client (not the Web Client), users can also now select "Use Windows session credentials", when logged into the Windows Server with their account.
Note though, that they won't be able to see/manage anything without giving them the permissions to do so.
For that, you can either assign them global rights or only rights for specific servers.

Permissions

To set global permissions, just navigate to Administration -> Access Control -> Global Permissions and click on "Add permission" (+).
Here you can assign roles (right) to users and groups you add on the left side. You can create new roles under Administration -> Access Control -> Roles, if you don't want to work with the default ones.

The same can be done for each inventory object. For this, you have to browse to the page of the object and open their "Permissions" page. An example would be Hosts and Clusters -> <FQDN of this server> -> Manage -> Permissions. Here you can set permissions the same way you can globally.

Permissions

Please consult the vCenter documentation linked below, if you need more detailed information on how to set permissions.

Further Links

Personal tools