Cool Solution - Use VMware Single Sign-On with UCS

From Univention Wiki

Jump to: navigation, search
Produktlogo UCS Version 4.1

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

Also regard the legal notes at Terms of Service.

VMware vSphere 6.0 provides Single Sign-On through a VMware vCenter instance. VMware Single Sign-On expects Microsoft Active Directory as so-called "Identity Source", but is also able to use other types of user repositories. This article describes how to use UCS 4.1 with Samba 4 instead of Microsoft Active Directory.

Prerequisites

Depending on the size of the environment the number of UCS, Windows and VMware ESXi Hypervisor hosts may vary. Let's assume the following minimum configuration:

  • 1 UCS 4.1 Domain Controller Master with Samba 4
  • 1 Windows Server, member of the UCS 4.1/Samba 4 domain with the following VMware vSphere 6.0 components installed:
    •         VMware vCenter Single Sign On
    •         VMware vCenter Inventory Service
    •         VMware vCenter Server
    •         VMware vSphere Client
    •         VMware vSphere Web Client
  • 1 VMware ESXi Hypervisor Host [optional, but reasonable]

Configuration of VMware vCenter Single Sign-On

Start "VMware vSphere Web Client" on the Windows Server or open your vSphere-Client-URL in your browser (usually https://<your-vCenter-server>:9443/vsphere-client).
Log in with your "administrator@<system-domain>"-Account (by default "administrator@vsphere.local") that was created during installation of vCenter.

VMware vSphere Web Client

Note: You need to use "administrator@<system-domain>". Any other account won't be able to add "Identity Sources" at this point. So make sure, that the account is not disabled or deleted.


Now go to AdministrationSingle Sign-OnConfigurationIdentity Sources and add a new "Identity Source" (+).

Administration     Add Identity Source     


A new window will open up. Select Active Directory as an LDAP Server and enter the desired information:

  • Name: a name for this "Identity Source"
  • Base DN for users: the distinguished name (DN) base for the ldap-server users
  • Domain name: The fully qualified domain name (FQDN)
  • (Optional) Domain alias: the NetBIOS name of the domain
  • Base DN for groups: usually the same as the base DN for users
  • Primary server URL: consisting of Protocol, DC Master FQDN and LDAP-Port (e.g. ldap://ucs-master.example.com:389 or ldaps://usc-master.example.com:636)
  • (Optional) Secondary server URL: recommended when there's a DC Backup
  • Username: domain user with right to read LDAP in DN format
  • Password: for the above user

Note: the certificate needed when using LDAP over SSL can be found on the homepage of your UCS master server while not logged in. Click on the Administration tab, then right-click Root certificate and select "Save Link As..." to download it. You now have to rename the file extension from crt to cer, before importing it to vCenter via the "Choose Certificate..." button.


Identity Source configuration


The users are now able to log in with their credentials:

  • username@<FQDN of domain> (e.g. username@example.com)
  • domain-user's password

While using the VMware vSphere Client (not the Web Client), users can also now select "Use Windows session credentials", when logged into the Windows Server with their account.
Note though, that they won't be able to see/manage anything without giving them the permissions to do so.
For that, you can either assign them global rights or only rights for specific servers.

Permissions

To set global permissions, just navigate to Administration -> Access Control -> Global Permissions and click on "Add permission" (+).
Here you can assign roles (right) to users and groups you add on the left side. You can create new roles under Administration -> Access Control -> Roles, if you don't want to work with the default ones.

The same can be done for each inventory object. For this, you have to browse to the page of the object and open their "Permissions" page. An example would be Hosts and Clusters -> <FQDN of this server> -> Manage -> Permissions. Here you can set permissions the same way you can globally.

Permissions

Please consult the vCenter documentation linked below, if you need more detailed information on how to set permissions.

Further Links

Personal tools