{"id":1028,"date":"2021-08-13T20:50:00","date_gmt":"2021-08-13T20:50:00","guid":{"rendered":"https:\/\/labiol.xyz\/?p=1028"},"modified":"2022-01-13T20:53:34","modified_gmt":"2022-01-13T20:53:34","slug":"aws-directory-service-for-cloud-director-service","status":"publish","type":"post","link":"https:\/\/www.labiol.xyz\/index.php\/2021\/08\/13\/aws-directory-service-for-cloud-director-service\/","title":{"rendered":"AWS Directory Service for Cloud Director Service"},"content":{"rendered":"\n<p>CDS &#8211; Cloud Director Services &#8211; SaaS implementation of Cloud Director for VMware Cloud Providers that can be connected to VMware in AWS (VMC) and provide the interface to the customer to manage their infrastructure.<\/p>\n\n\n\n<p>CDS is a brilliant service which saves a lot of time when compared to the Cloud Director in the on-premise environment in terms of maintaining and resolving potential issues.<\/p>\n\n\n\n<p>CDS takes the whole advantage of VMC to the next level where the VMC environment can be divided between customers, departments, etc, with the advantage of having super fast, highly scalable, implemented according to the best practices VMware implementation in Public Cloud.<\/p>\n\n\n\n<p>Anyway, CDS similarly to the Cloud Director (on-prem) will need infrastructure services that can fulfill all the requirements. One of such services is authentication. In on-prem we can potentially (and usually) use Microsoft AD. In the cloud we can of course do the same, but why don&#8217;t we use native cloud services.&nbsp;<\/p>\n\n\n\n<p>Our target is to use a single authentication service for CDS and vCenter (in VMC).<\/p>\n\n\n\n<p>The challenge here is that CDS can use:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>vCenter supports Active Directory, AD over LDAP and OpenLDAP<br><img loading=\"lazy\" decoding=\"async\" width=\"461\" height=\"103\" src=\"https:\/\/lh4.googleusercontent.com\/RDQi_JyP0HUpd2JLY-Iw5bV3dAhsbRLQuyB44HcrshqEDGsb5c9fAf9B3ghTc-LS9Xn-S20prlMb-0ZFlvbrhZIu-SfyJAb-OBGW3IXX1gRrT_VaEktIP4VVhCDJwn1wLhlYih3v\"><br><\/li><li>CDS supports SAML, Active Directory and OpenLDAP<br><img loading=\"lazy\" decoding=\"async\" width=\"248\" height=\"100\" src=\"https:\/\/lh5.googleusercontent.com\/m7VRwpuQ_SmH0IjrbfLNl9d0IlbgN2VRpNSFCVHptz6rjegSl9JUh3o9Hi6Aj4HruqB3ancp9tMC4Atbdu-SrsBFygGPFff8rkckQbrZa-QYm3C4D2dboyE96p6oaiYXWUOCJWAy\"><br><\/li><\/ul>\n\n\n\n<p>In this scenario we will use the following components:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>CDS &#8211; Cloud Directory Service (VMware Cloud Director as a Service)<\/li><li>VMC\/vCenter &#8211; VMware Cloud on AWS<\/li><\/ul>\n\n\n\n<ul class=\"wp-block-list\"><li>Network Load Balancer<\/li><li>AWS simple AD<\/li><li>Route 53 record<\/li><li>LDAPS client &#8211; to verify communication<\/li><li>Certificate manager<\/li><\/ul>\n\n\n\n<p>Proposed implementation is represented on the following schema:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/t-BR20LjEm-tC-S5yBjJkKNzeYfqOk18ISfbwr1DnJm7JMCAKL0c87M7QOlFLmdtlyMLfVagxh0QOSBk13QjBJQnRLiyHh3ahrqvHnsctf42AKH6sLkzXVP3dAGirtNLVgP_6HeP\" alt=\"\"\/><\/figure>\n\n\n\n<ul class=\"wp-block-list\"><li>Client &#8211; CDS\/vCenter (others) sends LDAPS request on tcp port 636 (default)<\/li><li>NLB terminates the SSL\/TSL traffic using the certificate and sends the decrypted LDAP traffic to AD (simple) using tcp\/389<\/li><li>Simple AD sends respond to NLB where it is encrypted and send to the client<\/li><\/ul>\n\n\n\n<p>Troubleshooting:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Ticket to VMware &#8211; open outside communication<\/li><li><code>openssl s_client -connect<\/code><\/li><li><code>ldapsearch -D \"Admin@youdomain.domain\" -H 'ldaps:\/\/yourdomain.domain' -b \"dc=yourdomain,dc=domain\" -W -s base '(objectclass=*)' -vvv -x -Z<\/code><\/li><\/ul>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/aws.amazon.com\/blogs\/security\/how-to-configure-ldaps-endpoint-for-simple-ad\/\"><strong>https:\/\/aws.amazon.com\/blogs\/security\/how-to-configure-ldaps-endpoint-for-simple-ad\/<\/strong><\/a><\/li><li><a href=\"https:\/\/docs.vmware.com\/en\/VMware-Cloud-Director-service\/services\/getting-started-with-vmware-cloud-director-service\/GUID-149EF3CD-700A-4B9F-B58B-8EA5776A7A92.html\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/docs.vmware.com\/en\/VMware-Cloud-Director-service\/services\/getting-started-with-vmware-cloud-director-service\/GUID-149EF3CD-700A-4B9F-B58B-8EA5776A7A92.html<\/a><\/li><li><a href=\"https:\/\/aws.amazon.com\/blogs\/security\/how-to-configure-an-ldaps-endpoint-for-simple-ad\/\">https:\/\/aws.amazon.com\/blogs\/security\/how-to-configure-an-ldaps-endpoint-for-simple-ad\/<\/a><\/li><li><a href=\"https:\/\/docs.aws.amazon.com\/directoryservice\/latest\/admin-guide\/simple_ad_getting_started.html\">https:\/\/docs.aws.amazon.com\/directoryservice\/latest\/admin-guide\/simple_ad_getting_started.html<\/a><\/li><li><a href=\"https:\/\/docs.vmware.com\/en\/VMware-Cloud-Director\/10.2\/VMware-Cloud-Director-Service-Provider-Admin-Portal-Guide\/GUID-4ECA36E9-E051-489C-A039-67621DE2C688.html\">https:\/\/docs.vmware.com\/en\/VMware-Cloud-Director\/10.2\/VMware-Cloud-Director-Service-Provider-Admin-Portal-Guide\/GUID-4ECA36E9-E051-489C-A039-67621DE2C688.html<\/a><\/li><\/ul>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>CDS &#8211; Cloud Director Services &#8211; SaaS implementation of Cloud Director for VMware Cloud Providers that can be connected to VMware in AWS (VMC) and provide the interface to the customer to manage their infrastructure. CDS is a brilliant service which saves a lot of time when compared to the &hellip; <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-1028","post","type-post","status-publish","format-standard","hentry","category-vmware"],"_links":{"self":[{"href":"https:\/\/www.labiol.xyz\/index.php\/wp-json\/wp\/v2\/posts\/1028","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.labiol.xyz\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.labiol.xyz\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.labiol.xyz\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.labiol.xyz\/index.php\/wp-json\/wp\/v2\/comments?post=1028"}],"version-history":[{"count":1,"href":"https:\/\/www.labiol.xyz\/index.php\/wp-json\/wp\/v2\/posts\/1028\/revisions"}],"predecessor-version":[{"id":1029,"href":"https:\/\/www.labiol.xyz\/index.php\/wp-json\/wp\/v2\/posts\/1028\/revisions\/1029"}],"wp:attachment":[{"href":"https:\/\/www.labiol.xyz\/index.php\/wp-json\/wp\/v2\/media?parent=1028"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.labiol.xyz\/index.php\/wp-json\/wp\/v2\/categories?post=1028"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.labiol.xyz\/index.php\/wp-json\/wp\/v2\/tags?post=1028"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}