Utilizzo di Active Directory come fonte di autenticazione (Federation) (EN)

Learn how to use you Active Directory server as an authentication source for your vSphere users.

Last updated 10th February 2022

Objective

This guide aims at explaining the details of implementing an Active Directory server as an authentication source on the OVHcloud Managed Bare Metal.

Discover how to use your Active Directory server as an authentication source for your vSphere users.

Requirements

  • A Managed Bare Metal offer.
  • An Active Directory service reachable from a public IP address and with a valid SSL certificate on LDAPS service.
  • A user access on the associated Active Directory with at least read-only access (for LDAPS connection).
  • Access to the Managed Bare Metal vSphere management interface.

Instructions

Retrieve needed information

vCenter to Active Directory connection is done using LDAPS protocol exposed by the Active Directory server.

Preparing configuration setup, you need to retrieve the following information:

  • Active Directory domain name (FQDN).
  • Active Directory domain alias (NetBIOS name).
  • Active Directory public IP address.
  • Active Directory LDAPS hostname. This is the name used inside the SSL certificate of the LDAPS service, it must resolve to the public IP address of the Active Directory server.
  • LDAPS service port (636 by default)
  • Base DN (Base Distinguished Name) for users. This is the DN from which users will be searched. For example: cn=Users,dc=example,dc=com
  • Base DN (Base Distinguished Name) for groups. This is the DN from which groups will be searched. For example: cn=Groups,dc=example,dc=com
  • Username and password of a domain user that will be used to connect to the LDAPS server. It must be at least a read-only user on the Active Directory server sections specified on the two "Base DN" fields above. Must be a pre-Windows 2000 username, in the UPN format (user@eample.com).

For more information, you can refer to the VMware documentation.

In addition to the previous information, you will need to retrieve the SSL certificate fingerprint (SHA1 Fingerprint) of the Active Directory LDAPS service.

You can retrieve this information with the method of your choice.

  • You can use this PowerShell command on the Active Directory server:
Get-ChildItem -Path Cert:\LocalMachine\MY | Select-Object -property FriendlyName, Subject, NotBefore, NotAfter, @{label='Thumbprint';'Expression'={$_.thumbprint -replace '(..(?!$))','$1:'}}

Here, it is the value on the right side of the colon sign:

> Thumbprint : BB:46:CA:6B:FC:92:4E:96:B4:BB:6E:44:7E:8F:AD:4C:C9:32:AB:AB
  • You can also use the following OpenSSL command (from a distant Linux/Unix/Mac machine):
openssl s_client -connect ad.example.com:636 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin

Here, it is the value on the right side of the equal sign:

> SHA1 Fingerprint=BB:46:CA:6B:FC:92:4E:96:B4:BB:6E:44:7E:8F:AD:4C:C9:32:AB:AB

Allow Active Directory access from the Managed Bare Metal

Retrieve your Managed Bare Metal IP address with the method of your choice.

You can use this command on the Active Directory server or any remote Windows machine:

nslookup pcc-198-51-100-121.ovh.com

Here, it is the value at the end of the last line:

> Address:  198.51.100.121

You can alternatively use the following command (from a remote Linux/Unix/Mac machine):

host pcc-198-51-100-121.ovh.com

Here, it is the value at the end of the line:

> pcc-198-51-100-121.ovh.com has address 198.51.100.121

Use the retrieved IP address to allow your Managed Bare Metal to access the Active Directory LDAPS server (by default on TCP port 636).

This operation can be done on your Active Directory server firewall or your company firewall.

Here is a firewall rule configuration example:

Remote IP address (source) Local IP address (destination) Remote port (source) Local port (destination) Protocol
198.51.100.121 All addresses All ports 636 TCP

Adapt this configuration to your company and apply that rule on your firewall.

Add your Active Directory server as an authentication source

Setting up an Active Directory as an authentication source is done through the OVHcloud API.

Retrieve your « serviceName » using the following API call:

Then, use the following API call to add your Active Directory server as an authentication source.

You will have to specify information retreived from the previous steps. Do not check the "noSsl" checkbox.

POST /dedicatedCloud/{serviceName}/federation/activeDirectory

Make sure the return operation is successful. You can follow its progress through the OVHcloud Control Panel on your Managed Bare Metal Operations tab.

If the provided information is invalid, the operation will be canceled and a message will show the returned error.

Canceled operation

Allow an Active Directory user to access your Managed Bare Metal

You can allow an Active Directory user to access your Managed Bare Metal through the OVHcloud API.

Retrieve your « activeDirectoryId » using the following API call:

Then, use the following API call to allow an Active Directory user to access your Managed Bare Metal.

You will have to specify the "pre-Winows 2000" username as it is inside your Active Directory.

POST /dedicatedCloud/{serviceName}/federation/activeDirectory/{activeDirectoryId}/grantActiveDirectoryUser

Make sure the return operation is successful. You can follow its progress through the OVHcloud Control Panel on your Managed Bare Metal Operations tab.
If the provided information is invalid, the operation will be canceled and a message will show the returned error.

Once allowed, the user and its permissions will be manageable directly from you OVHcloud Control Panel as any other Managed Bare Metal user.

By default, the user does not have any permission on your Managed Bare Metal. It will be able to connect to your Managed Bare Metal but it will not have any access. You can adjust the permissions from the OVHcloud Control Panel.

Allow an Active Directory group to access your Managed Bare Metal

You can allow directly an Active Directory user set (group) to access your Managed Bare Metal through the OVHcloud API.

Retrieve your « activeDirectoryId » using the following API call:

Then, use the following API call to allow an Active Directory group to access your Managed Bare Metal.

You will have to specify the "pre-Winows 2000" group name as it is inside your Active Directory.

POST /dedicatedCloud/{serviceName}/federation/activeDirectory/{activeDirectoryId}/grantActiveDirectoryGroup

Make sure the return operation is successful. You can follow its progress through the OVHcloud Control Panel on your Managed Bare Metal Operations tab.
If the provided information is invalid, the operation will be canceled and a message will show the returned error.

Once allowed, the group and its permissions will be manageable directly from your OVHcloud Control Panel as any other Managed Bare Metal user.

By default, the group does not have any permission on your Managed Bare Metal. Its members will be able to connect to your Managed Bare Metal but they will not have any access. You can adjust the permissions from the OVHcloud Control Panel.

Go further

Join our community of users on https://community.ovh.com/en/.


Questa documentazione ti è stata utile?

Prima di inviare la valutazione, proponici dei suggerimenti per migliorare la documentazione.

Immagini, contenuti, struttura... Spiegaci perché, così possiamo migliorarla insieme!

Le richieste di assistenza non sono gestite con questo form. Se ti serve supporto, utilizza il form "Crea un ticket" .

Grazie per averci inviato il tuo feedback.


Potrebbero interessarti anche...

OVHcloud Community

Accedi al tuo spazio nella Community Fai domande, cerca informazioni, pubblica contenuti e interagisci con gli altri membri della Community OVHcloud

Discuss with the OVHcloud community

Conformemente alla Direttiva 2006/112/CE e successive modifiche, a partire dal 01/01/2015 i prezzi IVA inclusa possono variare in base al Paese di residenza del cliente
(i prezzi IVA inclusa pubblicati includono di default l'aliquota IVA attualmente in vigore in Italia).