I have written about using JXplorer before which is a free LDAP browser utility that can connect to vCenter SSO's vmdird (VMware Directory Service) which you can find more details here. In vSphere 6.0, there are a couple of minor changes you will need to be aware of if you need to connect to SSO which is now located in the Platform Services Controller. The first change is that port 11711 is no longer used and has now changed to 389 when performing a fresh install of vSphere 6.0, else the port will be preserved as noted in the comments section. The second change when using JXplorer to connect to the vmdird is that BaseDN property is no longer needed and if you try to specify it, you will not be able to connect.
Here are the updated instructions to connect to vmdird in vSphere 6.0 which is now located in the PSC or in an embedded deployment.
Disclaimer: Please take extreme caution when connecting to the vmdird database, this is primary for educational purposes. You should take extreme care in making changes while in the database else you can negatively impact your environment.
Host: Hostname/IP Address of PSC
Protocol: LDAPv3
Port: 389
Level: User + Password
User DN: cn=Administrator,cn=Users,dc=vghetto,dc=local
User DN: SSO Admin Password
In addition, I also wanted to also mention a couple more tidbits that could come in handy when connecting directly to the vmdird, especially in a troubleshooting scenario. The first is finding the SSO Domain Name which is displayed by expanding the tree, in my environment it is called vghetto.local and the second is finding the SSO Site Name which is under "Configuration->Sites" which can be seen in the screenshot below.
On top of that, if you wish to find all deployed PSC's, you can do so by expanding "Configuration->Sites->Servers" and by expanding each of those sub-entries you can also see if they are replicating to other PSC's.
If you wish to find all deployed and connected vCenter Servers associated with the current PSC, you can expand "Computers".
- vCenter Server 6.0 Tidbits Part 1: What install & deployment parameters did I use?
- vCenter Server 6.0 Tidbits Part 2: What is my SSO Domain Name & Site Name?
- vCenter Server 6.0 Tidbits Part 3: Finding all deployed Platform Services Controller
- vCenter Server 6.0 Tidbits Part 4: Finding all deployed vCenter Servers
- vCenter Server 6.0 Tidbits Part 5: New method of patching the VCSA
- vCenter Server 6.0 Tidbits Part 6: Customizing VCSA’s DCUI
- vCenter Server 6.0 Tidbits Part 7: Connecting to SSO/PSC using JExplorer
- vCenter Server 6.0 Tidbits Part 8: Useful ldapsearch queries for vmdird
- vCenter Server 6.0 Tidbits Part 9: Creating & managing SSO users using dir-cli
- vCenter Server 6.0 Tidbits Part 10: Automating SSO Admin configurations
- vCenter Server 6.0 Tidbits Part 11: Automate SSO Admin password change
- vCenter Server 6.0 Tidbits Part 12: New methods of downloading Support Bundles for VCSA / PSC
Good explanation. Only use the VMware CLI tools to do operations on the directory. Adding users directly wont work for example. Read only. Any tool that supports LDAPv3 such as LDAPBrowser, MMC should also work.
Hi William, Just one note to add - 11711 will still be showing as used by vmdird.exe and will allow connections to be made through that port. Docs say only for environments upgraded from 5.5 - http://pubs.vmware.com/vsphere-60/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-ECEA77F5-D38E-4339-9B06-FF9B78E94B68.html&resultof=%22389%22%20
Thanks for the clarification MT
Using LDP.exe on a Windows system also works. It is useful because you can enable the control to see the contents of the Deleted Objects container (https://support.microsoft.com/en-us/kb/284928), which apparently never gets cleaned up :sigh:
Hi William,
Thank you for the post, it's very helpful in trying to isolate a strange issue I'm experiencing with my new vCenter 6 Windows servers w/ External PSCs. I have two sites and two vCenter servers with one PSC per Site and replication between sites. When I login to the first site via Web Client w/ AD credentials I am able to see both vCenter servers, however, if i login to the second site vCenter server w/ AD credentials I get an "Empty Inventory" error. Using the vsphere.local admin account I can see both sites on both servers, which leads me to believe it's something to do with permission replication between the sites.
I also think it may have to do with servers names and case differences. Using the JExplorer tool I looked at the configuration tree for both sites and noticed that one of my PSCs has the replication agreement ldap URL (labledURI is the attribute value) in all lower case (srvvcpsc2vm.x.com), but the other one has the proper case format (srvVCPSC1vm.x.com). The names are properly capitalized throughout the rest of the system so I am wondering if this particular type value is throwing things off. I can only get one vCenter server at a time to work properly with AD credentials, I've even found a way to go from one to another by logging into the Web Client using the vsphere.local admin account, going to SSO Configuration, then I remove the only Local OS entry (srvVCPSC1vm) and add in a new Local OS entry for srvVCPSC2vm, when I do that I can then login to the srvVC2vm (paired with srvVCPSC2vm) server and see both vCenter servers and vice versa. I would really like to get to a point where I can login to either one and see both inventories with AD credentials. I also tried to add a second local OS entry for the second PSC (either one), but it won't allow me to add one with the existing entry.
I did try to rename the labledURI value, but it didn't work. Any insight would be greatly appreciated, I've already talk with support, but they weren't really able to understand the issue, thus I've resorted to months of Google searches and blog posts.
Thomas,
I would recommend filing an SR w/VMware GSS to troubleshoot further. I would not recommend modifying PSC DB as it could further impact your env.
William Lam, sts expired ,update certificate form certool sts is not vaild