In the previous post in this series we went through installing vROps virtual appliance and connecting to vCenter. In this post we will go through adding an AD authentication source and configuring access groups.
There are 5 different authentication sources that can be added to vROps.
- SSO SAML: An XML-based standard for a web browser single sign-on that enables users to perform single sign-on to multiple applications.
- VMware Identity Manager: A platform where you can manage users and groups, manage resources and user authentication, and access policies and entitle users to resources.
- Open LDAP: A platform-independent protocol that provides access to an LDAP database on another machine to import user accounts.
- Active Directory: Specifies the use on Active directory to be used to import users accounts or groups.
- Other: Specifies any other LDAP-based directory services, such as Novel or OpenDJ, used to import user accounts from an LDAP database on a Linux Mac machine.
First we need to logon to the vROps web client > Administration > Authentication Sources
Click Add and select the source type required. We use Microsoft AD so we will be using Active Directory.
Give the identity source a display name I usually use the domain name as this make it simpler when view settings. Use basic as this auto-discovers the DC and DN (Distinguished Name).
Add the user account that will be used to for the LDAP connections to the domain. This account should only need to have domain users rights.
I also always create a specific service account to be uses for each application AD integration. I would also recommend using SSL/TLS where possible as this will encrypt the LDAP requests between the appliance and the domain controller.
Click on details to view the auto discovered host and
Click test verify all settings are correct, if set to use SSL there will be a prompt to accept the certificate.
Once the test is successful we can complete adding the authentication source.
Once completed the AD source should show.
Next we will configure the groups in AD that will be used to assign access roles in vROps.
To add the groups they need to be imported from AD and then assign the required role.
Go to Administrator > Access Control > import
Use the search string to check for the groups.
Select the role that will be assigned to the group
Assign the other required roles and select the object that are required for the group.
To test we can open a new session and select the AD authentication source instead of local user.
We can check the domain controller security event logs to confirm the authentication.
Based on the roles assinged the user will only have limited access.
In the next post we will go through configure alerting and create some capacity planning reports that can be used to plan for future compute requirements.