This article provides guidance for customizing advanced options for Active Directory integration in Log Insight beyond what is available in the administrative user interface.

VMware vRealize Log Insight supports integration with Active Directory for authentication. The administrative user interface provides settings for the Default Binding domain, a username and password, and whether it requires SSL.

Specify advanced Active Directory configuration directives in XML form using one of the methods described in Changing internal configuration options in VMware vRealize Log Insight (2123058).You must use the web browser method to edit this configuration.

1. Find or create the <authentication> tag. If Active Directory integration was enabled in the administration interface, it appears similar to:
   
   <authentication>
<auth-method value="ACTIVE-DIRECTORY">
<enabled value="true" />
<ad-domain value="domain.example.com" />
<ad-username value="active directory username" />
<ad-password value="encrypted password" />
</auth-method>
</authentication>
    
2. Optionally add or modify additional configuration options inside the <auth-method> tag:
    
   • <ad-protocols value="LDAP,LDAPS" /> - Protocol used for connections. Protocols will be tried in the order specified. This can only accept two values. It's either "LDAP" or "LDAPS". The old "LDAP,LDAPS" value is considered same as "LDAP".  If AD was previously trying to establish LDAP connection and if it does not succeed, it proceeds to LDAPS. now it will only try to establish connection with the specified protocol.
   • <ad-ldap-port value="389" /> - Default port used for connections. Common choices are 389 (LDAP) or 3269 (Global Catalog). Default of 0 uses port number returned from DNS lookup. This can be always overridden by the new "ad-port" config.
   • <ad-ldaps-port value="636" /> - Default port used for SSL connections. Common choices are 636 (LDAPs) or 3269 (Global Catalog). Default of 0 uses port number returned from DNS lookup. This can always be overridden by the new "ad-port" config.
      
   • <ad-search-base value="cn=configuration,dn=adtest,dn=local" /> - Custom search base used for Active Directory configuration partition. Default of blank will search the entire domain.
      
   • <ad-user-search-base value="cn=Users,dn=adtest,dn=local" /> - Custom search base used for User queries. Users outside this search base cannot be added in Users administration interface. Default of blank will search the entire domain.
      
   • <ad-group-search-base value="cn=Groups,dn=adtest,dn=local" /> - Custom search base used for Group queries. Group outside this search base cannot be added in Users administration interface. Default of blank will search the entire domain.
      
   • <ad-nested-groups value="false" /> - Whether to enable traversing nested group membership. For more information about the performance implications of this configuration option, see Authentication with Active Directory is slow in VMware vRealize LogInsight 3.0 when users belong to multiple nested groups (2138356). Default of false will only honor direct group membership.
      
   • <ad-nested-groups-matching-chain-rule value="true" /> - Whether to leverage LDAP_MATCHING_RULE_IN_CHAIN to query nested group membership. Supported in Log Insight 3.3 and later when connected to Active Directory servers with Domain Functional Level 2008 and later, with default of true. Can be reverted to Log Insight 3.0 behavior by setting to false.
      
   • <ad-nested-groups-matching-chain-rule-use-dn value="false" /> - Whether to use the full distinguished name to match objects. Supported in Log Insight 3.6 and later, with default of false. Can be reverted to Log Insight 3.3 behavior by setting to true.
      
   • <ad-nested-groups-query-timeout value="30000" /> - Timeout in milliseconds of the nested group query. Default is 0, no timeout.
      
   • <ad-domain-servers value="ns1.example.com:ns2.example.com" /> - Colon-delimited list of domain controllers that will be used. The default of blank results in auto-discovery. If krb-domain-servers is specified, this should likely match.
      
   • <krb-domain-servers value="ns1.example.com:ns2.example.com" /> - Colon-delimited list of Kerberos domain controllers that will be used. The default of blank results in auto-discovery. If ad-domain-servers is specified, this should likely match.
      
3. Restart the Log Insight service for the configuration change to take effect.