Univention as directory service source for VMware Horizon View
For a customer I’m setting up a VMware Horizon View environment for a crisis team that needs to have access to desktops when the shit hits the fan. The only requirement is that they have a desktop, some internal applications and that the environment will run. No UEM, no policies other than proxy settings, just a desktop for people to handle a crisis.
The issue with this environment is that the customer doesn’t have any Windows running, all servers they have are Linux based. the directory services are based on Univention and so we had to create everything from scratch. Despite what the title of the article is, we can’t setup a VMware environment with Univention, we will need a Active Directory to assist us there.
So what have I done? I setup a small Active Directory domain, Certificate authority, SQL server and a VMware environment. Just a small environment but large enough to be productive and deliver desktops in case that is needed. Univention is the source of all users accounts and all groups they use, so Univention will be used to deliver all that information to the Active Directory through a one-way sync.
I thought it might be interesting to see and learn how this is done, you might run into the same environment yourself at some time.
To setup this sync, one-way or bi-directional, you need a couple of things. You need to setup/configure the following components to get it working.
- UCS AD connector
- Private key
- PEM certificate
First we need to install the package in the Univention environment so that we can connect and sync with Active Directory. from the package repository we select the Active Directory connection package and click to install it.
A reload of the management page is required to see the installation, so of course we click on Reload.
The installation is finished now and we are ready to setup the synchronisation, so We open the Active Directory connection module we just installed and select “Synchronisation of account data between an Active Directory and UCS domain” and click on Next.
We don’t want it to be part of an Active directory domain we want it to push data there and not take anything back.
So we need to tell Univention where the domain controller is and give it credentials to make a connection.
Once that is done we need to make sure both systems will trust each other. For Univention that is fixed by adding the root domain certificate to the Univention environment. Export the root certificate from your domain controller certificate mmc and upload it here.
The configuration on Univention side is done now. Now we need to setup the components on the Active Directory side, synchronisation isn’t gonna happen just like that. As mentioned before in the list a couple of components need to be installed, copied etc so get the synchronisation working.
So I downloaded all the components , switched to the Active Directory controller and went to configure it.
Active directory installation
On the Active directory side we need to install a connector to add the integration with the AD. The installation is straight forward, nothing difficult there.
There is not much to say about the installation there are no options to pick from, next up is the verdist installation.
…and again, nothing to say about this installation, just next next finish. now we need to copy to files into the installation directory so that Active directory will trust the Univention server. both the private.key and the cert.pem file need to go there. The installation folder is C:\windows\UCS-AD-Connector.
We’re almost done, just one more job to do. Restart the UCS service on the domain controller and we can go back to the Univention console.
The active directory setup is complete, we continue on the Univention side and finish the installation there. Click on Finish to end the configuration.
As you will see now the Active directory service is running and all is working fine. If you need to upload a new root certificate you can do it from this page. Simply browse to the new certificate and click on upload.
After a short while the users will be seen in the Active directory. If all objects of the LDAP are synchronised is up to the way you setup the LDAP environment. Microsofts own standard in this might be an issue so that not all objects are synchronised. Users and groups are fine, we see issues with OU that reside under a CN.
If you wonder why objects are not synchronised, you can look in log files on both the Active Directory controller and the Univention environment. On the Invention side we looked at the logs that reside in /var/log/univention/, the logs are called connector.log, connector-s4.log and connector-status.log. they will give you detailed information on what is synced.
We noted as you can see in the log above that the LDAP environment has a CN named roles and under that CN named roles several OU’s are created. The Active Directory can’t create a CN named roles and add the OU’s there. Once you add a CN that is a dead end.
We’re still investigating this….
Configuration and installation of setting up the synchronisation between Univention and the Active Directory is easy. Some issues are there but they occur because of a configuration choice in the LDAP environment or because Microsoft created their own standard. With this synchronisation in place, users can be entitled for desktop pools in VMware Horizon View and we can setup access to Samba shares. hope this article will help some of you in the future.