Configuring and Managing Federation with LDAP

An organization can define an LDAP configuration that it shares with other organizations. This shared configuration can support federation using LDAP as a directory service, an authentication service, or both.

When several organizations use the same LDAP service as their source for imported users and groups, they enable a simple model of federation in which users in all the participating organizations can be managed by a single LDAP service. In this kind of configuration, user credentials are imported into the VMware Cloud Director database, and VMware Cloud Director is responsible for authenticating users.

Prerequisites

This operation requires the rights included in the predefined Organization Administrator role or an equivalent set of rights.

Procedure

  1. Retrieve the organization LDAP settings.
    Use a request like this one: 
    GET https://vcloud.example.com/api/admin/org/26/settings/ldap
    The response is an OrgLdapSettings element.
  2. Modify the retrieved OrgLdapSettings element.

    You can set the value of OrgLdapMode to SYSTEM to specify that this organization uses the system LDAP configuration. When you do this, you can also specify a CustomUsersOu value so that only users in a specific LDAP organizational unit can be imported into this organization. See Update Organization LDAP Settings.

    To configure an LDAP service for the exclusive use of this organization, set the value of OrgLdapMode to CUSTOM and include a CustomOrgLdapSettings element in the modified OrgLdapSettings.

  3. Update the OrgLdapSettings with your modifications.
    Find the Link element in the settings element where rel="edit". Make a PUT request to the URL in that link's href attribute value, and supply the modified section as the request body. See Update Organization LDAP Settings.

Example: Update Organization LDAP Settings

This example updates the OrgLdapSettings of the organization created in Create an Organization. The update sets the value of the CustomUsersOu element to specify that only LDAP users whose OU attribute has a value of Finance are imported into this organization.

Request: 
PUT https://vcloud.example.com/api/admin/org/26/settings/ldap
Content-Type: application/vnd.vmware.admin.organizationLdapSettings+xml
...
<?xml version="1.0" encoding="UTF-8"?>
<OrgLdapSettings ... >
   <OrgLdapMode>SYSTEM</OrgLdapMode>
   <CustomUsersOu>OU=Finance</CustomUsersOu>
</OrgLdapSettings>