Automating vCenter Single Sign-On (SSO) Users creation and management was not possible in prior releases of vSphere and this operation had to be performed manually using the vSphere Web Client.
With vSphere 6.0, you can now easily create and manage SSO Users using a new command-line utility that is included within the Platform Services Controller (PSC) called dir-cli. Below are the paths to the dir-cli utility on both Windows VC and VCSA.
Windows VC 6.0:
- C:\Program Files\VMware\vCenter Server\vmafdd\dir-cli.exe
VCSA 6.0:
- /usr/lib/vmware-vmafd/bin/dir-cli
Below are a few examples on using the dir-cli command and you can find more information in the vSphere 6.0 Documentation here. If you wish to automate the dir-cli operations without needing to specify an SSO Administrator password, just specify the --password option. You can also change the SSO Administrator username by specifying the --login option.
Creating a new SSO user:
/usr/lib/vmware-vmafd/bin/dir-cli user create --account william --first-name william --last-name lam --user-password 'VMware1!'
Adding new user to SSO group called "Administrators":
/usr/lib/vmware-vmafd/bin/dir-cli group modify --name Administrators --add william
List users in an SSO group:
/usr/lib/vmware-vmafd/bin/dir-cli group list --name Administrators
Reset the password for an SSO user:
/usr/lib/vmware-vmafd/bin/dir-cli password reset --account william --new 'VMware1!!'
- vCenter Server 6.0 Tidbits Part 1: What install & deployment parameters did I use?
- vCenter Server 6.0 Tidbits Part 2: What is my SSO Domain Name & Site Name?
- vCenter Server 6.0 Tidbits Part 3: Finding all deployed Platform Services Controller
- vCenter Server 6.0 Tidbits Part 4: Finding all deployed vCenter Servers
- vCenter Server 6.0 Tidbits Part 5: New method of patching the VCSA
- vCenter Server 6.0 Tidbits Part 6: Customizing VCSA’s DCUI
- vCenter Server 6.0 Tidbits Part 7: Connecting to SSO/PSC using JExplorer
- vCenter Server 6.0 Tidbits Part 8: Useful ldapsearch queries for vmdird
- vCenter Server 6.0 Tidbits Part 9: Creating & managing SSO users using dir-cli
- vCenter Server 6.0 Tidbits Part 10: Automating SSO Admin configurations
- vCenter Server 6.0 Tidbits Part 11: Automate SSO Admin password change
- vCenter Server 6.0 Tidbits Part 12: New methods of downloading Support Bundles for VCSA / PSC
William, thanks for this, helped immensely. Upon further Googling, there's a VMware document here: https://pubs.vmware.com/vsphere-60/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-4FBEA58E-9492-409B-B584-C18477F041D8.html
This contains the line in reference to the dir-cli command: "Use this command only during prototyping". Are there going to be any differences between a user created via the GUI vs the CLI, or is there another reason for VMware to include this warning?
There should not, as I believe the UI just leverages the CLI. You can always file an SR to get some additional details if you have concerns.
I would like to know if is possible after I create new SSO users if is possible to add that user to an existing Role instead of a Group. I was searching for a similar command as the one provided for the group but I was unable to find role parameter in dir cli.
I have also tried in power cli (get folder xxxx |NewVIPermissions - Role YYYYY -Principal 'user" ) error that NewVIPermissions is not recognized..
Any suggestion on what I could try ?
Without having tried it yet, I would like to ask whether it is possible to use this to add AD users to SSO groups, for an ID source that is already configured?
I would like to know if this is possible as well. I have my domain Identity source available, however I cannot use the dir-cli command to add an AD user to a Vsphere group.
Jim,
You need to use the vSphere API to add the AD groups into vSphere groups. That is NOT managed in PSC
Hi William,
I haven't been able to locate the API's endpoint to add the AD groups into vSphere groups.
Can you point me in the right direction?
Thanks for your time
I have found a workaround to add AD groups to the local administrator group. Basically add the entry in the local LDAP.
1.- Get the AD groups SID
/opt/likewise/bin/lw-find-group-by-name |grep -A 4 -B4 {YOUR_GROUP}
2.- Create de modify.ldiff file
dn: cn=Administrators,cn=Builtin,dc=vsphere,dc=local
changetype: modify
add: member
member: externalObjectId=S-1-5-21-2095319962-865614604-1317366612-1118
Where the externalObjectId is the AD groups SID
3.- Launch the ldapmodify command add the entry
ldapmodify -h localhost -x -w 'PASSWORD' -D "cn=Administrator,cn=Users,dc=vsphere,dc=local" -f modify.ldiff
modifying entry "cn=Administrators,cn=Builtin,dc=vsphere,dc=local"
4.- Check that the group has been added
/usr/lib/vmware-vmafd/bin/dir-cli group list --name Administrators
Enter password for *protected email*:
cn=Administrator,cn=Users,dc=vsphere,dc=local
CN=machine-eecd0735-94fa-4d17-8e41-437badaf21ae,CN=ServicePrincipals,DC=vsphere,DC=local
CN=vsphere-webclient-eecd0735-94fa-4d17-8e41-437badaf21ae,CN=ServicePrincipals,DC=vsphere,DC=local
externalObjectId=S-1-5-21-2095319962-865614604-1317366612-111
From here automate it using Ansible should be pretty straightforward
Hope it helps!
Thanks William. Is there a way to add user to vsphere.local or localos domain on PSC via API. Is it possible in 6.5 ? If yes, can you point me in what APIs I need to look at.
Hi William,
Could you please let us know if further blog/update on vSphere API to add the AD groups into SSO groups on VCSA.
Is it possible to create new vCenter(VCSA) user, using PowerCLI?
I also want to know the true whether powercli 6 can add new vcenter sso user threw powercli.
Is it possible to create new vCenter(VCSA) user, using PowerCLI?I try to use New-VMHostAccount,But the result is that Unable to create a local user group on an ESXi 5.1.
I have a strange issue with an older vcenter that we only use for archive now. It has vcenter 6.5 on it. I was able to sign into the web interface of the vcenter a couple months ago, but I can no longer sign in even with the admin local account. However, I can SSH into the vcenter using the admin local account. I can create a new sso account following your directions, but that new account cannot sign into the web interface either. Any ideas?