Currently, vCenter Single Sign-On supports the use of OpenLDAP as an identity source only if it satisfies all of these requirements:
- The OpenLDAP schema is RFC4519 compliant.
- All users have an objectClass of inetOrgPerson.
- All groups have an objectClass of groupOfUniqueNames.
- All groups have a group membership attribute of uniqueMember.
- All users and group objects have entryUUID configured (The objects have a unique GUID and should not be changing)
This is required for adding users or groups from OpenLDAP to any group or role apart from vSphere.local.
Note: In vSphere 5.5a and later, entryUUID is no longer a required attribute for OpenLDAP users to authenticate. However, it still remains a requirement for users/groups to add them into vsphere.local groups. Users or objects that are deleted and recreated in the LDAP tree without preserving entryUUID may remove the users from vsphere.local groups.
If any of these requirements are missing or if the schema is non-compliant, the OpenLDAP identity source is unsupported with vCenter Single Sign-On.