Difference between revisions of "Cool Solution - Use VMware Single Sign-On with UCS"

From Univention Wiki

Jump to: navigation, search
m
Line 40: Line 40:
  
 
*a name for this "Identity Source" (e.g. UCS3-SAMBA4)  
 
*a name for this "Identity Source" (e.g. UCS3-SAMBA4)  
*primary ldap-URL consisting of DC Master FQDN or IP adress and LDAP-Port (e.g. ldap://ucs-master.example.com:389)  
+
*primary ldap-URL consisting of DC Master FQDN and LDAP-Port (e.g. ldap://ucs-master.example.com:389)  
 
*''Optional:'' secondary LDAP Server, recommended when there's a DC Backup  
 
*''Optional:'' secondary LDAP Server, recommended when there's a DC Backup  
 
*Domain name (e.g. example.com)  
 
*Domain name (e.g. example.com)  

Revision as of 13:34, 29 April 2013

Note: This article is not yet reviewed.

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

Also regard the legal notes at Terms of Service.
Produktlogo UCS Version 3.1

Introduction

VMware vSphere 5.1 provides Single Sign-On throughout a VMware vCenter instance. VMware Single Sign-On expects Microsoft Active Directory as so-called "Identity Source", but is also able to use other types of user repositories. This article describes how to use UCS 3.1 / Samba 4 instead of Microsoft Active Directory.

Prerequisites

Depending on the size of the environment the number of UCS, Windows and VMware ESXi Hypervisor hosts may vary. Let's assume the following minimum configuration:

  • 1 UCS 3.1 Domain Controller Master with Samba 4
  • 1 Windows Server, member of the UCS 3.1/Samba 4 domain with the following VMware vSphere 5.1 components installed:
            VMware vCenter Single Sign On
            VMware vCenter Inventory Service
            VMware vCenter Server
            VMware vSphere Client
            VMware vSphere Web Client
  • 1 VMware ESXi Hypervisor Host [optional, but reasonable]

Known Issues

During the installation of VMware vCenter on the Windows Server the following warning might appear:

Warning 29155: The identity source was not identified automatically.

This warning can be ignored. The identity source will be added manually after the installation finished.

Configuration of VMware vCenter Single Sign-On

Start "VMware vSphere Web Client" on the Windows Server or open your vSphere-Client-URL in your browser (usually https://your-vCenter-server:9443/vsphere-client).
Log in with your "admin@System-Domain"-Account that was created during installation of vCenter.

VMware vSphere Web Client

Note: You need to use "admin@System-Domain". Any other account won't be able to add "Identity Sources" at this point. So make sure the account is not disabled or deleted.

Go to AdministrationSign-On and DiscoveryConfigurationIdentity Sources and add a new "Identity Source" (+).


Administration     Add Identity Source     


A new window will open up. Select Active Directory and enter the desired information:

  • a name for this "Identity Source" (e.g. UCS3-SAMBA4)
  • primary ldap-URL consisting of DC Master FQDN and LDAP-Port (e.g. ldap://ucs-master.example.com:389)
  • Optional: secondary LDAP Server, recommended when there's a DC Backup
  • Domain name (e.g. example.com)
  • Domain alias, which is the NetBIOS name of the domain (e.g. EXAMPLE)
  • Authentication Type: Password
  • Username: PrivilegedUser@example.com (domain user with right to read LDAP)
  • Password of the above user


Identity Source configuration


Change to AdministrationAccessSSO Users and Groups → Open Groups → Add a new group (e.g. VMware Domain Admins) → Select this group and click Add Principals

Add group          Add principals


 A new window opens up: Select the "Identity Source" we added before (e.g. example.com) and search for your desired LDAP-group (e.g. Domain Admins), then click Add and OK.

Principals


The chosen users/groups are now able to log in with their credentials:

  • username@example.com
  • domain-user password


While using the VMware vSphere Client (not the Web Client), users can now select "Use Windows session credentials".

VMware vSphere Client


Note: If a user password is changed or the user is disabled/deleted in your LDAP, this will not affect an active session in VMware vSphere (Web) Client. The changes will have an effect on the next login.

Note: Don't forget to add the right to manage a vCenter server (or single VMs) for the users. This can be done via vCenter → your vCenter serverManagePermissionsAdd permission. Otherwise the users will be able to log in, but won't see any vServers, Datacenters or Hosts.

Personal tools