I got this request from a colleague, who was helping out a service provider with this scenario: vCloud Director is using an external LDAP service, coming from a local Microsoft Active Directory, to authenticate all vCD users. Is Veeam vCloud Director Self-Service portal able to use this authentication and allow those users to use the portal? Let’s find out.
Use AD authentication in vCD
As said, vCD is using, in this case, an external LDAP service at the system level, which means that every organization uses the same AD to authenticate. This configuration has been described some years ago in this great post by Hugo Phan, but since the post was now 5 years old, I checked first of all if it would still work against the latest vCD 8.20.
My lab previously has only used vCD internal authentication, so I went first to add my local Active Directory as an external LDAP source.
First, I created a dedicated user for vCD to go and read information from my Active Directory, called vcd.service. With this user, I go into the configuration section of vCD and I configure the LDAP connection, like this:
Then, using the Test button, I go and search for this user to verify that the access to LDAP is working correctly:
As you can see, vCD is perfectly able to connect to LDAP and read the information about the user vcd.service.
The next step is to create a new AD user and use it to login as a system administrator into vCD. The user I created is called vcd.admin. Usually, people want to use LDAP because they don’t want to deal on a daily basis with single accounts into vCD, but rather delegate all the access management to AD administrators. So, in order to make things more simple, I created a new group in AD, called VCD.System.ADministrators, and I configured vcd.admin to be a member of this group:
Then, in the System configuration of vCD, under groups, I imported the newly created group as a new source for System Administrators:
Now, if I try to login with this user into the management portal of vCD, I’m granted full access and I can go into the configuration section. Here, I can see how my new user has been immediately registered in the user list, as soon as I logged in for the first time:
Veeam vCloud self-service portal and LDAP
So far, so good, vCD can use Active Directory as an external source of authentication. What about the Veeam vCloud portal? In theory, the authentication into the Veeam portal is completely demanded to vCD, and external LDAP is totally supported. As I never tested this option though, I wanted to see it by myself.
I went into the configuration of one of my tenants, Customer1, and started by configuring the LDAP authentication. The option to be used here is System LDAP, which means we are going to use the LDAP source that has been configured by our service provider:
I also created a dedicated OU in my Active Directory, called VCD, to store all the groups and users belonging to VCD activities. Here, together with the system accounts that I described before, I created one new group VCD.Customer1.Users, and added a new user to this group, called c1.ldap.admin. First, similar to what I did before, I added this group to the Organization admins of the tenant:
In fact, only Organization Admins are allowed to login into the Veeam vCloud portal. Once the group is added, I can then login into vCD using this LDAP user, this time into the tenant console. As before, the user is registered in the local list upon the first login:
You can see in the upper right that I’m logged in as c1.ldap.admin, and the user is listed with type LDAP instead of local.
The last step is to verify if I can login with this user also into Veeam vCloud portal. I go to the specific URL for this tenant, and I login:
The login is successful, I’m now managing Veeam backups of Customer1 using again, as you can see in the upper right corner, the user c1.ldap.admin.