I will create the following AD accounts and groups in active directory to use for the vrni configuration.
- vrni-joinad – active directory account with delegated permissions to join to domain.
- vrni-admins – ad security group – VRNI_Administrator (An administrator has complete access)
- vrni-auditor – ad group security – VRNI_Auditor role (A member user has limited access)
- vrni-member – ad group security – VRNI_Member role (An auditor has read-only access, and restricted from all create, add, edit, or delete actions. Users can only view the state )
- vrni OU – organization group in active directory
Open the platform UI, expand settings, click identity and access management.
In active directory create the following OU, security groups and user accounts from above
Add delegated access to the vrni-joinad account to join computers to the domain
Go back to the platform UI and click LDAP tab
Enter domain – vmware.local
Enter ldap information – ldap://172.168.1.14:389
Click group based access control
Enter Base DN – dc=vmware,dc=local
Enter Group DN
cn=vrni-member,ou=vrni,dc=vmware,dc=local (Member)
cn=vrni-admins,ou=vrni,dc=vmware,dc=local (Administrator)
cn=vrni-auditor,ou=vrni,dc=vmware,dc=local (Auditor)
Click restrict access to member of the above groups only
Enter Join account details
Click Submit
Done
