The documentation for (vFabric) vCloud Application Director is pretty sparse in this area, so here’s what worked for me.
Preparation:
You should have some idea how you want App Director to get its information from Active Directory. You can point it at a single domain controller (or GC) or a virtual IP address if you have them behind a load-balancer.
In my case, I have only two domain controllers and they’re both configured as Global Catalog servers. AD-integrated DNS is used and the “(same as parent folder)” A records in the zone resolve to the domain controllers. Only point the integration at the domain FQDN if all of the possible responders listen on the same port.
| TCP Port | Usage |
|---|---|
| 389 (caution!) | LDAP |
| 636 | LDAP over SSL |
| 3268 | LDAP Global Catalog |
| 3269 | LDAP Global Catalog over SSL |
While logged into the AppD CLI as admin, run this command:
create-ldap-config
| Question | Answer I used |
|---|---|
| Use SSL to communicate to LDAP server (ldaps)? | no |
| Server name/IP: | ragazzi.lab |
| Server port: | 3268 (see above) |
| Server base DN: | dc=ragazzi,dc=lab |
| Does your LDAP server support anonymous query?: | no |
| Username to use when querying for users? | serviceaccount@ragazzi.lab |
| Password to use when querying for users? | ******** |
| Base DN of user sub-tree: | <blank> |
| Username attribute | sAMAccountName |
| User UID attribute | objectSid |
| User’s group membership attribute | memberOf |
| User’s first name attribute | givenName |
| User’s last name attribute | sn |
| User’s email address attribute | <blank> |
| Base DN of group sub-tree | <blank> |
| Group name attribute | cn |
| Group UID attribute | objectSid |
| Group’s member list attribute | member |
| Name for the configuration | ragazzilab (the configuration name should not have a dot in it) |
After completion, run this to be sure it looks right:
list-ldap-configs
If it looks good, run this to activate your config:
activate-ldap-config --configname yourconfigReplace “yourconfig” with the name of your LDAP config
Lastly, lets make sure it works by testing that AppD can retrieve information about a user from AD. Run this
test-named-ldap-config --configname yourconfig --name thatusernameReplace “yourconfig” with the name of your LDAP config and “thatusername” with an actual username.
It should return details about the user, be sure that the group membership information looks right.
Brian Ragazzi 