With vCloud Application Director you can perform various operations such as activating, importing, updating, or deleting an LDAP configuration.

When you run the import command, LDAP completes the following processes.

1

Verifies the existence of an LDAP user or group name in the LDAP server.

2

Creates an entry in the vCloud Application Director database for that LDAP user or group.

3

Adds the user or group SID information in the database.

4

Associates the LDAP user or group in the database with the specified vCloud Application Director group and roles.

Note

While importing existing LDAP users and groups, LDAP does not collect or transfer any secure information from the directory to vCloud Application Director.

The existing LDAP users or groups that are imported to vCloud Application Director and assigned roles can log in to the vCloud Application Director Web interface using their LDAP credentials.

Verify that your user account has the ROLE_SYSTEM_ADMIN system administrator role assigned to it.

See Create and Activate an LDAP Configuration.

Using CLI to Manage LDAP Configurations

CLI Command

Description

create-ldap-config

Creates an LDAP configuration and saves the configuration in the vCloud Application Director database.

activate-ldap-config --configname LDAPConfigName

Activates an LDAP configuration in the vCloud Application Director server to authenticate against an LDAP configuration.

Note

The LDAP configuration name should not include any periods.

update-ldap-config --configname LDAPConfigName

Updates an existing LDAP configuration in the system.

Note

The LDAP configuration name should not include any periods.

import-ldap-group --name LDAPGroup --configname LDAPConfigName 
--group GroupName --roles ROLE_CLOUD_ADMIN

Imports an existing LDAP group, configures the group to become a member of a vCloud Application Director group, and assigns the vCloud Application Director cloud administrator role to the LDAP group.

Note

The LDAP configuration name should not include any periods because an error might occur when you import a LDAP group.

For example, to import an LDAP group called Admin Group to the vCloud Application Director group called Default and assign this group the ROLE_CLOUD_ADMIN role, use the command import-ldap-group --name "Admin Group" --group Default --configname LDAPConfigTest --roles ROLE_CLOUD_ADMIN.

import-ldap-user  --name LDAPUser --configname LDAPConfigName 
--group GroupName --roles ROLE_CLOUD_ADMIN

Imports an existing LDAP user, configures the user to become a member of a vCloud Application Director group, and assigns the vCloud Application Director cloud administrator role to the LDAP user.

In this command, the GroupName is the name of the vCloud Application Director group that the LDAP user will be associated with.

Note

You must have an active LDAP configuration before you can import LDAP users.

update-ldap-user --name UserName --group
GroupName --roles ROLE_APP_ARCHITECT

Updates an existing user that was imported from the LDAP directory and assigns the user the vCloud Application Director application architect role.

update-ldap-group --name LDAPGroupName --group
GroupName --roles ROLE_CATALOG_ADMIN,ROLE_CLOUD_ADMIN

Updates an existing group that was imported from the LDAP directory.

In this example, the group has the ROLE_CATALOG_ADMIN and ROLE_CLOUD_ADMIN roles assigned.

list-ldap-configs

Lists existing LDAP configurations in the system.

list-ldap-principals

Lists all of the users and groups imported from the LDAP directory.

print-active-ldap-config

Lists the details of the active LDAP configurations.

print-named-ldap-config --configname
LDAPConfigName

Displays the details of the named LDAP configuration.

Note

The LDAP configuration name should not include any periods.

delete-ldap-user --name UserName --configname LDAPConfigName

Removes a user from the local database.

Note

The LDAP configuration name should not include any periods.

delete-ldap-group --name GroupName --configname LDAPConfigName

Removes a group from the local database.

Note

The LDAP configuration name should not include any periods.

disable-ldap

Deactivates the current LDAP configuration and removes the LDAP authentication from the authentication chain in the system, so that only the local authentication is available.

The deactivated LDAP configurations are available on the system and can be reactivated.