Typically user information is already stored in an Active Directory or LDAP server. Before you can create pools and assign users to desktops, you must configure the desired Active Directory/LDAP server and the Oracle VDI. The following information describes the user directory types supported by Oracle VDI.
Active Directory integration is the recommended choice for production platforms integrating with Microsoft Active Directory. Active Directory integration requires additional configuration (Kerberos configuration and time synchronization) on the Oracle VDI hosts. To set up Active Directory integration quickly, for example for testing purposes, you can use LDAP Types, see Section 4.1.2, “LDAP Types”.
See Section 4.2, “Supported User Directories” for details of the supported versions of Active Directory.
The users from the Active Directory can be used for desktop and pool assignments and will be able to access desktops provided by Oracle VDI. On top of this basic feature, Active Directory integration offers the following functionalities:
Active Directory integration enables access to all the users from a forest and makes those users available for desktop and pool assignments. This means that the users from the different sub-domains of the forest will be able to access desktops from Oracle VDI.
For more details on supported forest configurations, see Section 4.10, “About Complex Forest Configurations”.
Active Directory integration allows computer entries to be removed from the Active Directory when cloned desktops are deleted by the Oracle VDI.
When a Windows desktop (cloned in the Oracle VDI) joins a domain through Sysprep, this will typically create a new computer entry in the Active Directory. Configuring the Oracle VDI with Kerberos Authentication will allow the Oracle VDI to remove the computer entries from the Active Directory, when deleting unused desktops. This avoids having computer entries piling up in the Active Directory while the matching desktops have long been destroyed.
Active Directory integration allows users to update their password (Section 7.2.6, “How to Change User Password”) in the Active Directory server either before this password has expired (optional action) or after the password has expired (mandatory action).
You can choose from the following supported Active Directory types:
Kerberos Authentication - The typical choice when integrating with Microsoft Active Directory.
See section Section 4.5, “How to Set Up Kerberos Authentication” for more information.
Public Key Authentication - To be used to integrate with Microsoft Active Directory when the domain controller requires LDAP signing, see: http://support.microsoft.com/kb/935834.
See section Section 4.6, “How to Set Up Public Key Authentication” for more information.
LDAP integration is the recommended choice for integrating with other types of LDAP directories or to set up Active Directory integration quickly. The setup is straight-forward, without the need for extra configuration.
See Section 4.2, “Supported User Directories” for details of the supported LDAP directories.
LDAP integration allows users to update their password (Section 7.2.6, “How to Change User Password”) in the directory server only before this password has expired. If the user password expires, the user will be required to update it using a customer-provided process external to Oracle VDI.
LDAP Integration offers three security types for authentication: anonymous, simple, and secure:
Anonymous Authentication - Useful for a quick integration with an LDAP server but not recommended for production environments. Anonymous Authentication may only be chosen if the LDAP server supports anonymous authentication. Active Directory does not support Anonymous Authentication.
See section Section 4.7, “How to Set Up Anonymous Authentication” for more information.
Simple Authentication - The recommended choice for production platforms integrating with LDAP directories other than Active Directory. If integrating with Active Directory, use Kerberos Authentication, see Section 4.5, “How to Set Up Kerberos Authentication”. A default restriction in Active Directory prevents password updates from an LDAP Simple Authentication.
See section Section 4.8, “How to Set Up Simple Authentication” for more information.
Secure Authentication - Useful to secure connections over SSL, when the directory supports it.
See section Section 4.9, “How to Set Up Secure Authentication” for more information.
When a user gets a desktop from Oracle VDI (via the desktop selector), Oracle VDI passes the user credentials to the desktop so the user does not have to re-enter their credentials at the desktop login. One way Oracle VDI enables users to authenticate is through their email address, however, an email address is not a valid user name on the desktop side.
Before Oracle VDI passes the credentials to the
desktop, it tries to resolve the email address into a
username@domain format by retrieving the user ID attribute and
the user's default domain from the user directory. If using
LDAP, Oracle VDI cannot detect the default domain, so
you need to set the directory.default.domain
property using the vda directory-setprops
command. If you don't set this property, users will have to
authenticate again on the desktop side.
If you have an expert understanding of user directory integration and would like to optimize Oracle VDI for your user directory, refer to the following sections: