WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud Foundation
  • VKS
  • Homelab
    • Resources
    • Nested Virtualization
  • VMware Nostalgia
  • Apple
You are here: Home / Automation / vCenter Server 6.0 Tidbits Part 9: Creating & managing SSO users using dir-cli

vCenter Server 6.0 Tidbits Part 9: Creating & managing SSO users using dir-cli

05.29.2015 by William Lam // 14 Comments

Automating vCenter Single Sign-On (SSO) Users creation and management was not possible in prior releases of vSphere and this operation had to be performed manually using the vSphere Web Client.

sso-user-management-using-dir-cli-4
With vSphere 6.0, you can now easily create and manage SSO Users using a new command-line utility that is included within the Platform Services Controller (PSC) called dir-cli. Below are the paths to the dir-cli utility on both Windows VC and VCSA.

Windows VC 6.0:

  • C:\Program Files\VMware\vCenter Server\vmafdd\dir-cli.exe

VCSA 6.0:

  • /usr/lib/vmware-vmafd/bin/dir-cli

Below are a few examples on using the dir-cli command and you can find more information in the vSphere 6.0 Documentation here. If you wish to automate the dir-cli operations without needing to specify an SSO Administrator password, just specify the --password option. You can also change the SSO Administrator username by specifying the --login option.

Creating a new SSO user:

/usr/lib/vmware-vmafd/bin/dir-cli user create --account william --first-name william --last-name lam --user-password 'VMware1!'

sso-user-management-using-dir-cli-0
Adding new user to SSO group called "Administrators":

/usr/lib/vmware-vmafd/bin/dir-cli group modify --name Administrators --add william

sso-user-management-using-dir-cli-2
List users in an SSO group:

/usr/lib/vmware-vmafd/bin/dir-cli group list --name Administrators

sso-user-management-using-dir-cli-1
Reset the password for an SSO user:

/usr/lib/vmware-vmafd/bin/dir-cli password reset --account william --new 'VMware1!!'

sso-user-management-using-dir-cli-3

  • vCenter Server 6.0 Tidbits Part 1: What install & deployment parameters did I use?
  • vCenter Server 6.0 Tidbits Part 2: What is my SSO Domain Name & Site Name?
  • vCenter Server 6.0 Tidbits Part 3: Finding all deployed Platform Services Controller
  • vCenter Server 6.0 Tidbits Part 4: Finding all deployed vCenter Servers
  • vCenter Server 6.0 Tidbits Part 5: New method of patching the VCSA
  • vCenter Server 6.0 Tidbits Part 6: Customizing VCSA’s DCUI
  • vCenter Server 6.0 Tidbits Part 7: Connecting to SSO/PSC using JExplorer
  • vCenter Server 6.0 Tidbits Part 8: Useful ldapsearch queries for vmdird
  • vCenter Server 6.0 Tidbits Part 9: Creating & managing SSO users using dir-cli
  • vCenter Server 6.0 Tidbits Part 10: Automating SSO Admin configurations
  • vCenter Server 6.0 Tidbits Part 11: Automate SSO Admin password change
  • vCenter Server 6.0 Tidbits Part 12: New methods of downloading Support Bundles for VCSA / PSC

More from my site

  • Maximum number of vCenter Servers per Single Sign-On (SSO) Domain
  • How to automatically repoint & failover VCSA to another replicated Platform Services Controller (PSC)?
  • vCenter Server 6.0 Tidbits Part 11: Automate SSO Admin password change
  • vCenter Server 6.0 Tidbits Part 10: Automating SSO Admin configurations
  • Ultimate automation guide to deploying VCSA 6.0 Part 3: Replicated Platform Service Controller Node

Categories // Automation, vSphere 6.0 Tags // dir-cli, platform service controller, psc, sso

Comments

  1. *protectedSam says

    12/02/2015 at 1:20 pm

    William, thanks for this, helped immensely. Upon further Googling, there's a VMware document here: https://pubs.vmware.com/vsphere-60/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-4FBEA58E-9492-409B-B584-C18477F041D8.html

    This contains the line in reference to the dir-cli command: "Use this command only during prototyping". Are there going to be any differences between a user created via the GUI vs the CLI, or is there another reason for VMware to include this warning?

    Reply
    • William Lam says

      12/05/2015 at 6:38 am

      There should not, as I believe the UI just leverages the CLI. You can always file an SR to get some additional details if you have concerns.

      Reply
    • *protectedNUTA Andreea says

      04/13/2017 at 5:48 am

      I would like to know if is possible after I create new SSO users if is possible to add that user to an existing Role instead of a Group. I was searching for a similar command as the one provided for the group but I was unable to find role parameter in dir cli.
      I have also tried in power cli (get folder xxxx |NewVIPermissions - Role YYYYY -Principal 'user" ) error that NewVIPermissions is not recognized..
      Any suggestion on what I could try ?

      Reply
  2. *protectedBlueArcher says

    04/05/2016 at 12:48 pm

    Without having tried it yet, I would like to ask whether it is possible to use this to add AD users to SSO groups, for an ID source that is already configured?

    Reply
    • *protectedJim Keller says

      11/04/2016 at 10:43 am

      I would like to know if this is possible as well. I have my domain Identity source available, however I cannot use the dir-cli command to add an AD user to a Vsphere group.

      Reply
      • William Lam says

        11/04/2016 at 12:38 pm

        Jim,

        You need to use the vSphere API to add the AD groups into vSphere groups. That is NOT managed in PSC

        Reply
        • *protectedJuan Sierra Pons says

          05/18/2021 at 1:19 am

          Hi William,

          I haven't been able to locate the API's endpoint to add the AD groups into vSphere groups.

          Can you point me in the right direction?

          Thanks for your time

          Reply
          • *protectedJuan Sierra Pons says

            05/20/2021 at 9:27 am

            I have found a workaround to add AD groups to the local administrator group. Basically add the entry in the local LDAP.

            1.- Get the AD groups SID
            /opt/likewise/bin/lw-find-group-by-name |grep -A 4 -B4 {YOUR_GROUP}

            2.- Create de modify.ldiff file
            dn: cn=Administrators,cn=Builtin,dc=vsphere,dc=local
            changetype: modify
            add: member
            member: externalObjectId=S-1-5-21-2095319962-865614604-1317366612-1118

            Where the externalObjectId is the AD groups SID

            3.- Launch the ldapmodify command add the entry
            ldapmodify -h localhost -x -w 'PASSWORD' -D "cn=Administrator,cn=Users,dc=vsphere,dc=local" -f modify.ldiff
            modifying entry "cn=Administrators,cn=Builtin,dc=vsphere,dc=local"

            4.- Check that the group has been added

            /usr/lib/vmware-vmafd/bin/dir-cli group list --name Administrators
            Enter password for *protected email*:
            cn=Administrator,cn=Users,dc=vsphere,dc=local
            CN=machine-eecd0735-94fa-4d17-8e41-437badaf21ae,CN=ServicePrincipals,DC=vsphere,DC=local
            CN=vsphere-webclient-eecd0735-94fa-4d17-8e41-437badaf21ae,CN=ServicePrincipals,DC=vsphere,DC=local
            externalObjectId=S-1-5-21-2095319962-865614604-1317366612-111

            From here automate it using Ansible should be pretty straightforward

            Hope it helps!

  3. *protectedcspnanda says

    06/02/2017 at 9:47 am

    Thanks William. Is there a way to add user to vsphere.local or localos domain on PSC via API. Is it possible in 6.5 ? If yes, can you point me in what APIs I need to look at.

    Reply
  4. *protectedShwetha says

    03/20/2018 at 4:25 am

    Hi William,

    Could you please let us know if further blog/update on vSphere API to add the AD groups into SSO groups on VCSA.

    Reply
  5. *protectedLalatendu says

    04/03/2018 at 2:34 am

    Is it possible to create new vCenter(VCSA) user, using PowerCLI?

    Reply
    • *protectedleonwilliam says

      08/07/2018 at 11:22 pm

      I also want to know the true whether powercli 6 can add new vcenter sso user threw powercli.

      Reply
  6. *protectedleonwilliam says

    08/07/2018 at 11:21 pm

    Is it possible to create new vCenter(VCSA) user, using PowerCLI?I try to use New-VMHostAccount,But the result is that Unable to create a local user group on an ESXi 5.1.

    Reply
  7. *protectedKevin says

    11/23/2021 at 8:49 am

    I have a strange issue with an older vcenter that we only use for archive now. It has vcenter 6.5 on it. I was able to sign into the web interface of the vcenter a couple months ago, but I can no longer sign in even with the admin local account. However, I can SSH into the vcenter using the admin local account. I can create a new sso account following your directions, but that new account cannot sign into the web interface either. Any ideas?

    Reply

Thanks for the comment!Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Thank Author

Author

William is Distinguished Platform Engineering Architect in the VMware Cloud Foundation (VCF) Division at Broadcom. His primary focus is helping customers and partners build, run and operate a modern Private Cloud using the VMware Cloud Foundation (VCF) platform.

Connect

  • Bluesky
  • Email
  • GitHub
  • LinkedIn
  • Mastodon
  • Reddit
  • RSS
  • Twitter
  • Vimeo

Recent

  • Programmatically accessing the Broadcom Compatibility Guide (BCG) 05/06/2025
  • Quick Tip - Validating Broadcom Download Token  05/01/2025
  • Supported chipsets for the USB Network Native Driver for ESXi Fling 04/23/2025
  • vCenter Identity Federation with Authelia 04/16/2025
  • vCenter Server Identity Federation with Kanidm 04/10/2025

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2025

 

Loading Comments...