One of the big announcements in Log Insight 4.5 is the deprecation of native Active Directory authentication. In this post, I would like to cover the topic as well as the alternative authentication mechanism that should be used instead. Read on to learn more!
UPDATE: Since the release of this blog post, changes to the release notes as well as the KB referring to have been made. As such, this post has been updated to reflect the latest official communication from VMware.
Since Log Insight 1.0, authentication via both local accounts and Active Directory has been supported in the UI. In Log Insight 4.5, the UI clearly states that Active Directory support is deprecated:
The warning itself contains a hyperlink to the release notes which states the following:
-
VMware Identity Manager (vIDM) is recommended for vRealize Log Insight. Native Active Directory support within vRealize Log Insight will be removed in a later version. You can download a licensed version of vIDM for use with this release from the vRealize Log Insight Download page.
- See https://www.vmware.com/support/pubs/identitymanager-pubs.html for VMware Identity Manager documentation.
- For information about migrating from Active Directory to vIDM, see the following Knowledge Base article: https://kb.vmware.com/kb/2148976
To be 100% clear here — native Active Directory support is deprecated BUT STILL SUPPORTED in Log Insight 4.5. A warning about the feature possible being removed in a future version is mentioned in the KB:
Although direct connectivity from VMware vRealize Log Insight to Active Directory is still supported in Log Insight 4.5, it may be removed in a future version.
In any case, it is strongly recommended you move to VIDM sooner rather than later.
Now, to make this process easier, VIDM is available for download on the same download page as Log Insight. It should be noted that use of VIDM with Log Insight is free and does not require a license (this includes all editions of LI). You can also get support for VIDM using your existing Log Insight support agreement (i.e. just file a normal support request). The question becomes, how do you migrate from Active Directory to VIDM in Log Insight? The good news is I already covered this in a previous post. Be sure to take a good look at that post as it also covers the differences between AD and VIDM — more specifically, API authentication via VIDM is not supported and this is true in Log Insight 4.5 as well.
In my upcoming blog posts, I will cover how to deploy and configure VIDM to work with Log Insight. In the meantime, be sure to check out the Log Insight + VIDM post on the VMware Management blog and if you have additional comments either leave a comment here or on the VMware communities thread.
© 2017, Steve Flanders. All rights reserved.
Looking forward to your future posts on config. I notice there is to identity manager OVA so even that simple thing will be helped with your blog. I guess I could RTFM but would rather read your blog!
Hey Michael — thanks for the comment. VIDM is available as an OVA and should be on the LI download page. I will definitely have some tips and tricks in my blog post so stay tuned!
Hi Steve,
Thank you for clarifying the vendor’s policy on using VIDM for LI!
Your blog as well helps a lot with tips and tricks of using LI in the production. Cheers
Happy to help!
Thanks for this clarification! I could not believe that we had to license VIDM. No its clear that we have not to do so.
One question though:
On LI download site there are two VIDM downloads available. Which one is needed? The Identity Manager or the Identity Manager Connector?
VMware Identity Manager 2.9.1.0- Virtual Appliance
VMware Identity Manager Connector 2.9.1.0 – Virtual Appliance
I am a rookie with VIDM …
The connector is for connecting to the SaaS version of VIDM — you likely want the non-connector.