WilliamLam.com

Quick Tip - How to check password expiry for a specific vSphere SSO user?

by // 1 Comment

The default password expiry for vSphere Single-Sign On (SSO) users within the vCenter Server Appliance (VCSA) is 90 days and this of course be changed to match your organizations policy. Although the vSphere UI can remind you right before your password expires, you may want to manually check or proactively inventory this information periodically.

To do so, you will need to SSH to the VCSA and use the dir-cli command with --level 2 option to get additional details for a given vSphere SSO user as shown in the example below:

/usr/lib/vmware-vmafd/bin/dir-cli user find-by-name --account william --level 2
Account: william
UPN: william[a]VSPHERE.LOCAL
Account disabled: FALSE
Account locked: FALSE
Password never expires: FALSE
Password expired: FALSE
Password expiry: 8916 day(s) 2 hour(s) 39 minute(s) 30 second(s)

In this particular environment, I have the vSphere SSO password expiry configured to 9000 days and as we can see for this user, there is ~8916 days left before the password expires.

For those looking to automate this, it looks like this is currently only possible using dir-cli but I have submitted a feature request to the recently released PowerCLI vSphere SSO Module to see if this information can also be included in the Get-SsoPersonUser cmdlet. If you need to retrieve the current configured vSphere SSO password expiry, you can use ldapsearch command within the VCSA or the Get-SsoPasswordPolicy cmdlet.

How to split vCenter Servers configured in an Enhanced Linked Mode (ELM)?

by // 22 Comments

An interesting question that came up on the VMTN forum the other day (thanks to Andreas Peetz for sharing via Twitter) was how to split two vCenter Servers configured in an Enhanced Linked Mode (ELM)? Due to an organization changes in the customers environment, they needed to separate out their two vCenter Servers and run them independently of each other. Although this may sound like an rare event, I have actually seen this use case come up several times now which maybe from a business unit restructuring, spinning out or selling off company assets which then requires the customer to split their existing vCenter Servers that is configured with ELM.

Below is a diagram depicting an example where the original source environment (left) which is composed of two vCenter Servers and two external Platform Services Controller (PSC) configured in an ELM and the desired destination environment (right) which are two separate vCenter Server instances no longer configured in ELM.


The solution to this problem is actually pretty straight forward and leverages the existing vCenter Server and/or Platform Services Controller (PSC) "decommission" workflow. Rather than decommissioning the nodes, we are just simply keeping them around. Below are the instructions on how to achieve this outcome.

UPDATE (05/31/22) - I was recently made aware of the following VMware KB 2106736 article that provides official guidance for splitting/unregistering your vCenter Server from ELM. This should be followed as the officially supported method

UPDATE (01/28/19) - As of vSphere 6.7 Update 1, splitting an Enhanced Linked Mode (ELM) configuration is now supported by using the repointing workflow provided by the enhanced cmsso-util tool.

Disclaimer: Although this solution uses an existing supported workflow, this particular use case has not been tested by VMware. As such, this would not be officially supported by VMware until the appropriate testing has been done by our Engineering teams. One potential option in the short term if you are looking for support from VMware is to file an RPQ request through your VMware account team.

[Read more...]

vCenter Server 6.0 Tidbits Part 9: Creating & managing SSO users using dir-cli

by // 14 Comments

Automating vCenter Single Sign-On (SSO) Users creation and management was not possible in prior releases of vSphere and this operation had to be performed manually using the vSphere Web Client.

sso-user-management-using-dir-cli-4
With vSphere 6.0, you can now easily create and manage SSO Users using a new command-line utility that is included within the Platform Services Controller (PSC) called dir-cli. Below are the paths to the dir-cli utility on both Windows VC and VCSA.

Windows VC 6.0:

  • C:\Program Files\VMware\vCenter Server\vmafdd\dir-cli.exe

VCSA 6.0:

  • /usr/lib/vmware-vmafd/bin/dir-cli

Below are a few examples on using the dir-cli command and you can find more information in the vSphere 6.0 Documentation here. If you wish to automate the dir-cli operations without needing to specify an SSO Administrator password, just specify the --password option. You can also change the SSO Administrator username by specifying the --login option.

Creating a new SSO user:

/usr/lib/vmware-vmafd/bin/dir-cli user create --account william --first-name william --last-name lam --user-password 'VMware1!'

sso-user-management-using-dir-cli-0
Adding new user to SSO group called "Administrators":

/usr/lib/vmware-vmafd/bin/dir-cli group modify --name Administrators --add william

sso-user-management-using-dir-cli-2
List users in an SSO group:

/usr/lib/vmware-vmafd/bin/dir-cli group list --name Administrators

sso-user-management-using-dir-cli-1
Reset the password for an SSO user:

/usr/lib/vmware-vmafd/bin/dir-cli password reset --account william --new 'VMware1!!'

sso-user-management-using-dir-cli-3