Search the VMware Knowledge Base (KB)
View by Article ID

Custom Active Directory configuration for VMware vRealize Log Insight (2079763)

  • 1 Ratings

Purpose

This article provides guidance for customizing advanced options for Active Directory integration in Log Insight beyond what is available in the administrative user interface.

VMware vRealize Log Insight 2.0 and higher supports integration with Active Directory for authentication. The administrative user interface provides settings for the Default Binding domain, a username and password, and whether it requires SSL.

Resolution

Specify advanced Active Directory configuration directives in XML form using one of the methods described in Changing internal configuration options in VMware vRealize Log Insight (2123058). In Log Insight 3.0 and higher, you must use the web browser method.

  1. Find or create the <authentication> tag. If Active Directory integration was enabled in the administration interface, it appears similar to:

    <authentication>
        <auth-method value="ACTIVE-DIRECTORY">
           <enabled value="true" />
           <ad-domain value="domain.example.com" />
           <ad-username value="active directory username" />
           <ad-password value="encrypted password" />
        </auth-method>
    </authentication>


  2. Optionally add or modify additional configuration options inside the <auth-method> tag:

    • <ad-protocols value="LDAP,LDAPS" /> - Protocol used for connections. Administration interface can set to LDAP,LDAPS or LDAPS. Can be manually set to only LDAP. Protocols will be tried in the order specified.

    • <ad-ldap-port value="389" /> - Port used for connections. Common choices are 389 (LDAP) or 3269 (Global Catalog). Default of 0 uses port number returned from DNS lookup.

    • <ad-ldaps-port value="636" /> - Port used for SSL connections. Common choices are 636 (LDAPs) or 3269 (Global Catalog). Default of 0 uses port number returned from DNS lookup.

    • <ad-search-base value="cn=configuration,dn=adtest,dn=local" /> - Custom search base used for Active Directory configuration partition. Default of blank will search the entire domain.

    • <ad-user-search-base value="cn=Users,dn=adtest,dn=local" /> - Custom search base used for User queries. Users outside this search base cannot be added in Users administration interface. Default of blank will search the entire domain.

    • <ad-group-search-base value="cn=Groups,dn=adtest,dn=local" /> - Custom search base used for Group queries. Group outside this search base cannot be added in Users administration interface. Default of blank will search the entire domain.

    • <ad-nested-groups value="false" /> - Whether to enable traversing nested group membership. For more information about the performance implications of this configuration option, see Authentication with Active Directory is slow in VMware vRealize LogInsight 3.0 when users belong to multiple nested groups (2138356). Default of false will only honor direct group membership.

    • <ad-nested-groups-matching-chain-rule value="true" /> - Whether to leverage LDAP_MATCHING_RULE_IN_CHAIN to query nested group membership. Supported in Log Insight 3.3 and later when connected to Active Directory servers with Domain Functional Level 2008 and later, with default of true. Can be reverted to Log Insight 3.0 behavior by setting to false.

    • <ad-nested-groups-matching-chain-rule-use-dn value="false" /> - Whether to use the full distinguished name to match objects. Supported in Log Insight 3.6 and later, with default of false. Can be reverted to Log Insight 3.3 behavior by setting to true.

    • <ad-nested-groups-query-timeout value="30000" /> - Timeout in milliseconds of the nested group query. Default is 0, no timeout.

    • <ad-domain-servers value="ns1.example.com:ns2.example.com" /> - Colon-delimited list of domain controllers that will be used. The default of blank results in auto-discovery. If krb-domain-servers is specified, this should likely match.

    • <krb-domain-servers value="ns1.example.com:ns2.example.com" /> - Colon-delimited list of Kerberos domain controllers that will be used. The default of blank results in auto-discovery. If ad-domain-servers is specified, this should likely match.

  3. Restart the Log Insight service for the configuration change to take effect.

See Also

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 1 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 1 Ratings
Actions
KB: