Cool Solution - Use VMware Single Sign-On with UCS
From Univention Wiki
VMware vSphere 6.0 provides Single Sign-On through a VMware vCenter instance. VMware Single Sign-On expects Microsoft Active Directory as so-called "Identity Source", but is also able to use other types of user repositories. This article describes how to use UCS 4.1 with Samba 4 instead of Microsoft Active Directory.
Depending on the size of the environment the number of UCS, Windows and VMware ESXi Hypervisor hosts may vary. Let's assume the following minimum configuration:
- 1 UCS 4.1 Domain Controller Master with Samba 4
- 1 Windows Server, member of the UCS 4.1/Samba 4 domain with the following VMware vSphere 6.0 components installed:
- VMware vCenter Single Sign On
- VMware vCenter Inventory Service
- VMware vCenter Server
- VMware vSphere Client
- VMware vSphere Web Client
- VMware vCenter Single Sign On
- 1 VMware ESXi Hypervisor Host [optional, but reasonable]
Configuration of VMware vCenter Single Sign-On
Start "VMware vSphere Web Client" on the Windows Server or open your vSphere-Client-URL in your browser (usually https://<your-vCenter-server>:9443/vsphere-client).
Log in with your "administrator@<system-domain>"-Account (by default "firstname.lastname@example.org") that was created during installation of vCenter.
Note: You need to use "administrator@<system-domain>". Any other account won't be able to add "Identity Sources" at this point. So make sure, that the account is not disabled or deleted.
Now go to Administration → Single Sign-On → Configuration → Identity Sources and add a new "Identity Source" (+).
A new window will open up. Select Active Directory as an LDAP Server and enter the desired information:
- Name: a name for this "Identity Source"
- Base DN for users: the distinguished name (DN) base for the ldap-server users
- Domain name: The fully qualified domain name (FQDN)
- (Optional) Domain alias: the NetBIOS name of the domain
- Base DN for groups: usually the same as the base DN for users
- Primary server URL: consisting of Protocol, DC Master FQDN and LDAP-Port (e.g. ldap://ucs-master.example.com:389 or ldaps://usc-master.example.com:636)
- (Optional) Secondary server URL: recommended when there's a DC Backup
- Username: domain user with right to read LDAP in DN format
- Password: for the above user
Note: the certificate needed when using LDAP over SSL can be found on the homepage of your UCS master server while not logged in. Click on the Administration tab, then right-click Root certificate and select "Save Link As..." to download it. You now have to rename the file extension from crt to cer, before importing it to vCenter via the "Choose Certificate..." button.
The users are now able to log in with their credentials:
- username@<FQDN of domain> (e.g. email@example.com)
- domain-user's password
While using the VMware vSphere Client (not the Web Client), users can also now select "Use Windows session credentials", when logged into the Windows Server with their account.
Note though, that they won't be able to see/manage anything without giving them the permissions to do so.
For that, you can either assign them global rights or only rights for specific servers.
To set global permissions, just navigate to Administration -> Access Control -> Global Permissions and click on "Add permission" (+).
Here you can assign roles (right) to users and groups you add on the left side. You can create new roles under Administration -> Access Control -> Roles, if you don't want to work with the default ones.
The same can be done for each inventory object. For this, you have to browse to the page of the object and open their "Permissions" page. An example would be Hosts and Clusters -> <FQDN of this server> -> Manage -> Permissions. Here you can set permissions the same way you can globally.
Please consult the vCenter documentation linked below, if you need more detailed information on how to set permissions.
- vSphere Permissions and User Management Tasks - https://pubs.vmware.com/vsphere-60/index.jsp#com.vmware.vsphere.security.doc/GUID-5372F580-5C23-4E9C-8A4E-EF1B4DD9033E.html
- Using Roles to Assign Privileges - https://pubs.vmware.com/vsphere-60/index.jsp#com.vmware.vsphere.security.doc/GUID-18071E9A-EED1-4968-8D51-E0B4F526FDA3.html
- Add a Global Permission - https://pubs.vmware.com/vsphere-60/index.jsp#com.vmware.vsphere.security.doc/GUID-1CE39F3C-0BC5-4CDC-9D62-D8F90644880D.html
- Add a Permission to an Inventory Object - https://pubs.vmware.com/vsphere-60/index.jsp#com.vmware.vsphere.security.doc/GUID-A0F6D9C2-CE72-4FE5-BAFC-309CFC519EC8.html