Creating an LDAP configuration for Active Directory in vCloud Application Director

The documentation for (vFabric) vCloud Application Director is pretty sparse in this area, so here’s what worked for me.

You should have some idea how you want App Director to get its information from Active Directory. You can point it at a single domain controller (or GC) or a virtual IP address if you have them behind a load-balancer.

In my case, I have only two domain controllers and they’re both configured as Global Catalog servers. AD-integrated DNS is used and the “(same as parent folder)” A records in the zone resolve to the domain controllers. Only point the integration at the domain FQDN if all of the possible responders listen on the same port.

TCP Port Usage
389 (caution!) LDAP
636 LDAP over SSL
3268 LDAP Global Catalog
3269 LDAP Global Catalog over SSL

While logged into the AppD CLI as admin, run this command:


Question Answer I used
Use SSL to communicate to LDAP server (ldaps)? no
Server name/IP: ragazzi.lab
Server port: 3268 (see above)
Server base DN: dc=ragazzi,dc=lab
Does your LDAP server support anonymous query?: no
Username to use when querying for users? serviceaccount@ragazzi.lab
Password to use when querying for users? ********
Base DN of user sub-tree: <blank>
Username attribute sAMAccountName
User UID attribute objectSid
User’s group membership attribute memberOf
User’s first name attribute givenName
User’s last name attribute sn
User’s email address attribute <blank>
Base DN of group sub-tree <blank>
Group name attribute cn
Group UID attribute objectSid
Group’s member list attribute member
Name for the configuration ragazzilab (the configuration name should not have a dot in it)

After completion, run this to be sure it looks right:


If it looks good, run this to activate your config:

activate-ldap-config --configname yourconfig

Replace “yourconfig” with the name of your LDAP config

Lastly, lets make sure it works by testing that AppD can retrieve information about a user from AD. Run this

test-named-ldap-config --configname yourconfig --name thatusername

Replace “yourconfig” with the name of your LDAP config and “thatusername” with an actual username.

It should return details about the user, be sure that the group membership information looks right.

%d bloggers like this: