Cool Solution - Use VMware Single Sign-On with UCS
From Univention Wiki
VMware vSphere 5.1 provides Single Sign-On throughout a VMware vCenter instance. VMware Single Sign-On expects Microsoft Active Directory as so-called "Identity Source", but is also able to use other types of user repositories. This article describes how to use UCS 3.1 / Samba 4 instead of Microsoft Active Directory.
Depending on the size of the environment the number of UCS, Windows and VMware ESXi Hypervisor hosts may vary. Let's assume the following minimum configuration:
- 1 UCS 3.1 Domain Controller Master with Samba 4
- 1 Windows Server, member of the UCS 3.1/Samba 4 domain with the following VMware vSphere 5.1 components installed:
VMware vCenter Single Sign On
VMware vCenter Inventory Service
VMware vCenter Server
VMware vSphere Client
VMware vSphere Web Client
- 1 VMware ESXi Hypervisor Host [optional, but reasonable]
During the installation of VMware vCenter on the Windows Server the following warning might appear:
Warning 29155: The identity source was not identified automatically.
This warning can be ignored. The identity source will be added manually after the installation finished.
Configuration of VMware vCenter Single Sign-On
Start "VMware vSphere Web Client" on the Windows Server or open your vSphere-Client-URL in your browser (usually https://your-vCenter-server:9443/vsphere-client).
Log in with your "admin@System-Domain"-Account that was created during installation of vCenter.
Note: You need to use "admin@System-Domain". Any other account won't be able to add "Identity Sources" at this point. So make sure the account is not disabled or deleted.
Go to Administration → Sign-On and Discovery → Configuration → Identity Sources and add a new "Identity Source" (+).
A new window will open up. Select Active Directory and enter the desired information:
- a name for this "Identity Source" (e.g. UCS3-SAMBA4)
- primary ldap-URL consisting of DC Master FQDN or IP adress and LDAP-Port (e.g. ldap://ucs-master.example.com:389)
- Optional: secondary LDAP Server, recommended when there's a DC Backup
- Domain name (e.g. example.com)
- Domain alias, which is the NetBIOS name of the domain (e.g. EXAMPLE)
- Authentication Type: Password
- Username: PrivilegedUser@example.com (domain user with right to read LDAP)
- Password of the above user
Change to Administration → Access → SSO Users and Groups → Open Groups → Add a new group (e.g. VMware Domain Admins) → Select this group and click Add Principals
A new window opens up: Select the "Identity Source" we added before (e.g. example.com) and search for your desired LDAP-group (e.g. Domain Admins), then click Add and OK.
The chosen users/groups are now able to log in with their credentials:
- domain-user password
While using the VMware vSphere Client (not the Web Client), users can now select "Use Windows session credentials".
Note: If a user password is changed or the user is disabled/deleted in your LDAP, this will not affect an active session in VMware vSphere (Web) Client. The changes will have an effect on the next login.
Note: Don't forget to add the right to manage a vCenter server (or single VMs) for the users. This can be done via vCenter → your vCenter server → Manage → Permissions → Add permission. Otherwise the users will be able to log in, but won't see any vServers, Datacenters or Hosts.