VMware Cloud Foundation 9.0 introduced the new VCF Identity Broker component to provide the totally revamped VCF Single Sign-On capability which provides single sign-on across VCF Operations, vCenter, NSX Manager, VCF Operations for logs, VCF Operations for networks, VCF Operations HCX and VCF Automation. VMware Cloud Foundation 9.0 added support for Ping Identity and Generic SAML 2.0 providers in addition to Okta, Microsoft Entra ID, Microsoft Active Directory, Microsoft ADFS and OpenLDAP.
When it comes to Role Based Access Control (RBAC) we’ve typically used Microsoft Active Directory within our lab setups to provide group, service account and user access across the VMware Cloud Foundation platform. The biggest downside of this being the need to deploy at least one Windows Server virtual machine, this isn’t a significant issue generally but it does require a Windows Server license. For this reason we recently took a look at OpenLDAP as an alternative.
In this post we discuss the high-level steps for getting VCF Identity Broker up and running as well as provide some more details steps as they pertain to using OpenLDAP as the Identity Provider of choice.
High-level Steps for Configuring VCF Identity Broker and VCF Single Sign-On
The following high-level steps should be followed to successfully deploy and configure VCF Identity Broker, for the most part the official Broadcom Technical Documentation is pretty good so I’m not going to document all of these procedures instead use the links provided to take you directly to the relevant part of the VMware Cloud Foundation 9.0 documentation.
- Deploy VCF Identity Broker appliance
- Select a VCF Instance for which you want to configure VCF Single Sign-On
- Choose the deployment mode you wish to use
- Select and configure the identity provider (Documented as part of this post)
- Configure VCF Single Sign-On for NSX and vCenter
- Modify the Identity Provider Sync Settings (Documented as part of this post)
- Configure VCF Single Sign-On for VCF Operations and VCF Automation
- (Optional) Configure VCF Single Sign-On for other VCF Components
- Assign required roles and permissions for users or groups
The following two sections provide more detailed step-by-step guidance around the OpenLDAP configuration specifically based on my own lab.
Configuring OpenLDAP as an Identity Provider
Whilst the official Broadcom Technical Documentation for Configure OpenLDAP as an Identity Provider could be followed, I wanted to highlight some specifics of the procedure so I’ve duplicated the steps here.
NOTE
First key point to call out here is to make sure you apply the following prerequisite to your OpenLDAP configuration otherwise you will have issues.
Ensure that the memberOf overlay is activated in the OpenLDAP server. For information about activating memberOf overlay, see OpenLDAP Overlays.
-
Log in to the VCF Operations interface at https://<vcf_operations_fqdn> as a user assigned Administrator role.
-
In the main navigation select Fleet Management > Identity & Access.
-
From the Identity & Access navigation, select SSO Overview.
-
From the Enable Single Sign-On page, click the Start button against the Configure Identity Provider option.
-
From the Choose Identity Provider section, select OpenLDAP from the list and click Next.
-
From the Configure the Identity Provider section, click Configure.
-
On the Directory Details screen, enter the following details and click Next.
| Setting | Value |
|---|---|
| Directory name | mycloudyworld |
| Primary domain controller | ldap://10.167.173.100 |
| Directory search attribute | Custom Attribute |
| Custom directory search attribute for Users | uid |
| Custom directory search attribute for Groups | cn |
| Base DN | dc=mycloudyworld,dc=io |
| Bind user name | cn=svc-vcf-ldap,dc=mycloudyworld,dc=io |
| Bind user password | VMw@re1!VMw@re1! |
-
On the LDAP Configuration screen, accept the default values and click Next.
-
On the Review screen, review the details you have added for the configuration and click Finish.
-
On the Configure User and Group Provisioning screen, click Configure.
-
On the Directory Review Information screen, click Next.
-
On the Attributes Mappings screen, enter the following details and click Next.
| Setting | Value |
|---|---|
| userName | uid |
| firstName | givenName |
| lastName | sn |
| distinguishedName | dn |
| employeeID | (leave blank) |
| userPrincipalName | userPrincipalName |
-
On the Group Provisioning screen, enter a base group DN
dc=mycloudyworld,dc=ioand click Select Base Group DN. -
Select all the groups that you want to be visible in the VCF Identity Broker and click Next.
-
On the User Provisioning screen, do not select any users and click Next.
-
On the Review screen, review the configuration and click Finish.
-
Click Done.
-
Now perform Configure VCF Single Sign-On for NSX and vCenter.
Modify the Identity Provider Sync Settings
-
Log in to the VCF Operations interface at https://<vcf_operations_fqdn> as a user assigned Administrator role.
-
In the main navigation select Fleet Management > Identity & Access.
-
From the Identity & Access navigation, select VCF Instances > Instance with Identity Source.
-
Under Directory Information, select the radio button for mycloudyworld and click Edit.
-
In the mycloudyworld navigation, select Sync Settings.
-
On the Sync Settings screen, click Edit.
-
Change the Sync Frequency to Every 15 Minutes and click Save.
Conclusion
Use this post as a reference to help configure VCF Identity Broker with OpenLDAP as the Identity Provider.
My Cloudy World 
Leave a reply to SHARAN Cancel reply