A common request that I have heard from customers is to have the ability to automate vCenter Single Sign-On configurations from a programmatic standpoint. Unfortunately, this is currently not possible today as a public API does not exist for SSO. Having spent some time exploring the underlying vmdir database which is just an LDAP-based system (here & here) and learning about a way to update a particular key per KB2070433 within the vmdir database which I have shown here and I have found here, I wanted to see if it was possible to query for these specific SSO Admin configurations and also be able to update these properties.
Disclaimer: Please take extreme caution when connecting to the vmdird database. You should take extreme care in making changes while in the database else you can negatively impact your environment.
There are three main sections to the SSO Admin configurations that can be seen from the vSphere Web Client:
- Password Policies
- Lockout Policy
- Token Policy
For each section, I have provided the specific ldapsearch query (please refer to this article as per-requisite) which can either be run directly on the VCSA if you are using that or a system that includes the ldapsearch command. You will need to replace the text highlighted in blue with your own environment details.
Password Policies & Lockout Policy
To view the following set of configurations, here is the ldapsearch query to use:
/opt/likewise/bin/ldapsearch -h 192.168.1.70 -w 'VMware1!' -x -D "cn=Administrator,cn=Users,dc=vghetto,dc=local" -b "cn=password and lockout policy,dc=vghetto,dc=local"
Here is a screenshot of the Password Policies as seen in the vSphere Web Client and their corresponding LDAP property names:
UI Setting | LDAP Attribute Name |
---|---|
Maximum lifetime | vmwPasswordLifetimeDays |
Restrict reuse | vmwPasswordProhibitedPreviousCount |
Maximum lenght | vmwPasswordMaxLength |
At least special character | vmwPasswordMinSpecialCharCount |
At least alphabetic character | vmwPasswordMinAlphabeticCount |
At least uppercase character | vmwPasswordMinUpperCaseCount |
At least lowercase character | vmwPasswordMinLowerCaseCount |
At least numeric character | vmwPasswordMinNumericCount |
Identical adjacent Characters | vmwPasswordMaxIdenticalAdjacentChars |
Here is a screenshot of the Lock Policy as seen in the vSphere Web Client and their corresponding LDAP property names:
UI Setting | LDAP Attribute Name |
---|---|
Maximum number of failed login attempts | vmwPasswordChangeMaxFailedAttempts |
Time interval between failures | vmwPasswordChangeFailedAttemptIntervalSec |
Unlock time | vmwPasswordChangeAutoUnlockIntervalSec |
Token Policy
To view the following configuration, here is the ldapsearch query to use:
/opt/likewise/bin/ldapsearch -h 192.168.1.70 -w 'VMware1!' -x -D "cn=Administrator,cn=Users,dc=vghetto,dc=local" -b "cn=Tenants,cn=IdentityManager,cn=Services,dc=vghetto,dc=local" -s sub "objectclass=vmwSTSTenant"
Here is a screenshot of the Token Policy as seen in the vSphere Web Client and their corresponding LDAP property names:
Token Policy
UI Setting | LDAP Attribute Name |
---|---|
Clock tolerance | vmwSTSClockTolerance |
Maximum token renewal count | vmwSTSRenewCount |
Maximum token delegation count | vmwSTSDelegationCount |
Maximum bearer token lifetime | vmwSTSMaxBearerTokenLifetime |
Maximum holder-of-key token lifetime | vmwSTSMaxHolderOfKeyTokenLifetime |
Now that we know how to query for a particular SSO Configuration, here is how you can modify one of these properties. In the example below, we will be changing the life time of a password which dictates the frequency in which you need to change an SSO user's password. Using the "Password Policies" table above, we can see the that property name is called vmwPasswordLifetimeDays
To modify an LDAP entry, we will need to first create a file that contains the change, in the example here we are going to name it change.ldif and it should contain the following where the "replace" keyword shows which property is getting modified and the next line after shows the value that it will be changed to.
dn: cn=password and lockout policy,dc=vghetto,dc=local
changetype: modify
replace: vmwPasswordLifetimeDays
vmwPasswordLifetimeDays: 30
To apply the change, we will now run the following ldapmodify command and specifying our change.ldif configuration file:
/opt/likewise/bin/ldapmodify -f change.ldif -h 192.168.1.70 -D "cn=Administrator,cn=Users,dc=vghetto,dc=local" -w 'VMware1!'
If the change was successful, you can confirm by either querying the property again using the ldapquery command or just refreshing the SSO Configurations using the vSphere Web Client.
- vCenter Server 6.0 Tidbits Part 1: What install & deployment parameters did I use?
- vCenter Server 6.0 Tidbits Part 2: What is my SSO Domain Name & Site Name?
- vCenter Server 6.0 Tidbits Part 3: Finding all deployed Platform Services Controller
- vCenter Server 6.0 Tidbits Part 4: Finding all deployed vCenter Servers
- vCenter Server 6.0 Tidbits Part 5: New method of patching the VCSA
- vCenter Server 6.0 Tidbits Part 6: Customizing VCSA’s DCUI
- vCenter Server 6.0 Tidbits Part 7: Connecting to SSO/PSC using JExplorer
- vCenter Server 6.0 Tidbits Part 8: Useful ldapsearch queries for vmdird
- vCenter Server 6.0 Tidbits Part 9: Creating & managing SSO users using dir-cli
- vCenter Server 6.0 Tidbits Part 10: Automating SSO Admin configurations
- vCenter Server 6.0 Tidbits Part 11: Automate SSO Admin password change
- vCenter Server 6.0 Tidbits Part 12: New methods of downloading Support Bundles for VCSA / PSC
Arun says
Thanks for The Great Information. After updating the security token renewal count, is it required to restart the STS services?
Totie Bash says
What is the equivalent for Windows vCenter 6.0 U3. I am interested in doing some SSO password policies. If you are on single SSO domain with enhance linkmode, do you need to run this command only once or multiple on all PSC instance?
Harold Schoofs says
Is for example the "Time interval between failures" setting still not exposed to powerCLi for instance to be changed scripted?
For some automated hardening checks and compliance it would be great to have some way of setting/reading this programmatically without al the severe warnings, and extreme caution needed?
Vmware_Geek says
Is there a way to add a setting to vCenter 7.0 to send email notifications for expiration close dates of local service accounts. We can only notice if another vmware product disconnects from vCenter that password is expired.
Can be there a trick to recieve notifications before passwords expire?