Just wanted to share my experience with setting up the SSO login with eDirectory identity source via LDAP. It works fine, you just cannot administer SSO settings when logged in with eDirectory account, but this is not an issue for me. So, for anybody trying to set it up, here it is:
- Set-up a new openLDAP identity source.
- Name it as you like
- Base DN for users: - enter the appropriate base dn for your needs (e.g. ou=xxx,ou=yyy,o=zzz)
- Domain name: - you may enter your DNS domain name (e.g. company.com)
- Domain alias: - name it as you wish
- Base DN for groups: - enter the appropriate base dn for your needs (e.g. ou=xxx,ou=yyy,o=zzz) - it may be different from the users base dn above.
- Primary server URL: - preferably on the secure port (e.g. ldaps://eDirServerIP:636
- Choose certificate: - only if you've selected the secure port above. Export your Organizational CA Self-signed certificate in BASE64 format and place it on your Desktop for example. When you click on the "Choose certificate" button, note that it only shows files with extension .cer, so you need to write *.* in the "File name" field so your BASE64 file is displayed and you can select it.
- Username: you need a read-only trustee of your base dn (or of your entire tree for example) in ldap format (e.g. cn=someuser,ou=abc,ou=xxx,ou=yyy,o=zzz)
- Password: - as it states
Once you've done that, you'll see your identity source in the list and you can set it up as Default Identity Source (do it).
And voila! Now you may go to vCenter Home -> Hosts and Clusters -> Manage -> Permissions and assign the Administrator role for any object (the whole vcenter, or a single datacenter, or whatever) to a user or (better) a group from eDirectory.
Hopefully VMware will make it possible to assign SSO Administrator from eDirectory as well in a future release, but for the moment I'm fine with this. Definitely a step in the right direction for VMware to support non-MS environments.