In last post of this series, I walked through the vRA appliance deployment and configuration. We verified that deployment was successful and we were able to login to vRA appliance using the SSO user.
In this post we will learn about default tenant initial configuration and how to associate directory services with vRA.
If you have landed directly on this page by mistake, then I encourage you to read earlier posts of this series from below links:
1: Lab Setup
2: Installing and Configuring NSX
3: Installing SQL Server for IaaS DB
4: Installing and Configuring vRealize Automation Appliance
Lets start configuring the default tenant.
Login to vRA appliance by typing https://VRA-FQDN/vcac and use administrator as username and password set during deployment.
If this is your production deployment, then you might want to use your company branding i.e setting up logo etc.
Once you are done with branding your vRA instance, navigate to Administration -> Tenants. Select the default tenant and click on edit button.
Select local users tab.
Since we don’t have any directory integration with vRA yet, we have to add a local user and assign that user tenant admin and IaaS admin role. Click on + button to add a new local user.
Provide username,password, email etc for this local user and hit ok.
Navigate to administrators tab and add the local user under Tenant administrator and IaaS administrator.
Logout from vRA and log back in via the tenant admin (the local user we just defined)
Click on Directory management.
Select directories from the list and click on + button to add a directory service. Following type of directory services are supported by vRA:
- Active Directory over LDAP
- LDAP Directory
- Local user directory
In my case I am going with AD over LDAP option.
If you are using Windows Active Directory, then provide your directory name and select AD (Integrated Windows Authentication)
Make sure your vRA appliance is selected as Sync connector and select yes button if you want your vRA appliance to perform authentication.
When a directory service is added to vRA, users and groups are synched from directory to local VIDM database on the vRA appliance, and when a user tries to loin to appliance, vRA will perform authentication by checking the user existence in its local VIDM database.
For join domain details, enter your domain name and the domain admin username and password. Note that do not append your domain name with username here.
For Bind User Details, enter the username in the format username@domain-name and supply the user password and hit Save and Next.
If there are no errors in previous step, you will now see your newly added directory in the list.
Click on newly added directory service and select sync now.
Now we have to select which user/groups we want to sync from AD to vIDM database. If you have a large organizations and have thousands of users and groups, then it’s not a good idea to sync them all as not all of them will be consuming your vRA based cloud.
Click on Edit Group DNs
Now if your groups exists in organized OU’s, you can specify the absolute DN path for searching the groups.
In my case i have only few users and group in my lab, I selected the root DN (e.g DC=alex,DC=local)
Click on find groups to discover the groups from your AD.
In my case 52 groups were discovered. Click on Select button to choose which groups you want to sync with vRA.
Make your selection from the list and hit save.
This is the summary of groups selected by me for sync.
You can repeat the same process to sync individual users from AD. Once the user/groups are synched, you can see the details of them under directories tab.
Lets check our directory integration now by logging out the local user.
Now at the login screen, you will see your domain listed for selection.
I am trying to login via my domain user here.
And I am in. So at this point we are confirmed that directory integration is working fine.
Next is to define role for the domain users when we create business groups/catalogs etc or form approval policies.
Note: By default vRA sync user/groups from AD on weekly basis, so any new user/group created in AD will be synched to vIDM database when next periodic sync occurs. But you can also manually invoke the sync process or can change the sync settings to determine how often vRA should sync with AD.
To change sync frequency, select your domain from directory list and click on sync settings.
Edit the sync frequency.
Thats it for this post.
I hope you find this post informational. Feel free to share this on social media if it is worth sharing. Be sociable 🙂