WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud Foundation
  • VKS
  • Homelab
    • Resources
    • Nested Virtualization
  • VMware Nostalgia
  • Apple

vCenter Server 6.0 Tidbits Part 7: Connecting to SSO/PSC using JXplorer

05.01.2015 by William Lam // 7 Comments

I have written about using JXplorer before which is a free LDAP browser utility that can connect to vCenter SSO's vmdird (VMware Directory Service) which you can find more details here. In vSphere 6.0, there are a couple of minor changes you will need to be aware of if you need to connect to SSO which is now located in the Platform Services Controller. The first change is that port 11711 is no longer used and has now changed to 389 when performing a fresh install of vSphere 6.0, else the port will be preserved as noted in the comments section. The second change when using JXplorer to connect to the vmdird is that BaseDN property is no longer needed and if you try to specify it, you will not be able to connect.

Here are the updated instructions to connect to vmdird in vSphere 6.0 which is now located in the PSC or in an embedded deployment.

Disclaimer: Please take extreme caution when connecting to the vmdird database, this is primary for educational purposes. You should take extreme care in making changes while in the database else you can negatively impact your environment.

Host: Hostname/IP Address of PSC
Protocol: LDAPv3
Port: 389
Level: User + Password
User DN: cn=Administrator,cn=Users,dc=vghetto,dc=local
User DN: SSO Admin Password

jexplorer-platform-service-controller-1
In addition, I also wanted to also mention a couple more tidbits that could come in handy when connecting directly to the vmdird, especially in a troubleshooting scenario. The first is finding the SSO Domain Name which is displayed by expanding the tree, in my environment it is called vghetto.local and the second is finding the SSO Site Name which is under "Configuration->Sites" which can be seen in the screenshot below.

On top of that, if you wish to find all deployed PSC's, you can do so by expanding "Configuration->Sites->Servers" and by expanding each of those sub-entries you can also see if they are replicating to other PSC's.

jexplorer-platform-service-controller-3
If you wish to find all deployed and connected vCenter Servers associated with the current PSC, you can expand "Computers".

jexplorer-platform-service-controller-2

  • vCenter Server 6.0 Tidbits Part 1: What install & deployment parameters did I use?
  • vCenter Server 6.0 Tidbits Part 2: What is my SSO Domain Name & Site Name?
  • vCenter Server 6.0 Tidbits Part 3: Finding all deployed Platform Services Controller
  • vCenter Server 6.0 Tidbits Part 4: Finding all deployed vCenter Servers
  • vCenter Server 6.0 Tidbits Part 5: New method of patching the VCSA
  • vCenter Server 6.0 Tidbits Part 6: Customizing VCSA’s DCUI
  • vCenter Server 6.0 Tidbits Part 7: Connecting to SSO/PSC using JExplorer
  • vCenter Server 6.0 Tidbits Part 8: Useful ldapsearch queries for vmdird
  • vCenter Server 6.0 Tidbits Part 9: Creating & managing SSO users using dir-cli
  • vCenter Server 6.0 Tidbits Part 10: Automating SSO Admin configurations
  • vCenter Server 6.0 Tidbits Part 11: Automate SSO Admin password change
  • vCenter Server 6.0 Tidbits Part 12: New methods of downloading Support Bundles for VCSA / PSC

Categories // VCSA, vSphere 6.0 Tags // jxplorer, ldap, platform service controller, psc, sso domain name, sso site name, vSphere 6.0

How to verify SSO Multi-Master Replication is properly configured & working?

12.12.2013 by William Lam // Leave a Comment

I wrote an article yesterday demonstrating a hybrid configuration using the new SSO Multi-Master Replication in vSphere 5.5 between a vCenter Server for Windows & a VCSA (vCenter Server Appliance). The process itself is pretty straight forward and I even created a script which will automate the entire configuration. However, other than some text being shown at the end of the script stating that MMR (Multi-Master Replication) being successfully setup; how do you actually confirm MMR is properly configured & working when adding additional SSO instances?

This was something I was actually pondering about since the process was just too "easy" and pretty much seamless as it should be from a users perspective. In speaking with engineering, I came to learn that vmdird (VMware Directory Service) just leverages the LDAP standard for MMR. This means we can use any LDAP browser to connect to vmdird and view its current configuration.

Disclaimer: Please take extreme caution when viewing the vmdird database, this is primary for educational purposes. You should not be making any changes while in the database else you can negatively impact your environment.

In this example, we will be leveraging the free open source LDAP browser JXexplorer which can be run from variety of operating systems including Windows and Mac OS X. We will use JXexplorer to verify replication between our source (vCenter Server on Windows) is properly configured with our target (VCSA), you can also do this for a Windows to Windows vCenter Server deployment. We will also verify that replication itself is working by going through an example of creating an object in the source system and then verifying it has been successfully replicated to the target system.

Step 1 - Download and install JXplorer on your desktop, it does not have to run on the vCenter Server itself as we can remotely connect to the vmdird.

Step 2 - Create a new LDAP connection for your source vCenter Server on Windows using the following configuration below:

Protocol: LDAPv3
Port: 11711
Base DN: dc=vsphere,dc=local
Level: User + Password
User DN: cn=Administrator,cn=Users,dc=vsphere,dc=local

If everything was entered correctly, you should now be able to connect to the vmdird database.

Step 3 - To confirm MMR has been successfully configured between your source and target SSO Servers, you can expand the inventory to local->vsphere->Configuration->Sites->Servers. Here you should see the list of SSO Servers participating in a specific site. If you expand each server, you should see a replication agreement between the source and target of each server, this means everything is configured correctly.

In the example I had in my last blog post vcenter55-3.primp-industries.com is my vCenter Server for Windows and vcenter55-2.primp-industries.com is my VCSA. We can clearly see the replication agreements between our two systems and everything looks good.

Step 4 - To check whether MMR is working, a simple test is to create a user in vsphere.local domain using the vSphere Web Client and then compare the Users database between our source and target vmdird databases. To do so, you can open up two JXexplorer sessions, one connecting to the source vmdird and the other connecting to the destination vmdird.

MMR takes ~30sec to perform the replication and in the example above, I created a user called "wlam" on my source site and then I was able to refresh my destination system and the new user has automatically been replicated.

I really like the new SSO architecture and has really simplified SSO installation and configuration by a factor of 1000x. The built-in multi-master replication is completely transparent to the end user and this is the type of user experience our customers have come to expect of VMware. Big kudos to the SSO Engineering/Product team for all their hard work! There is still a lot of work being done to further enhance the overall install/upgrade experience and hopefully we will get to see some of these benefits in the very near future.

Categories // Automation, VCSA, vSphere Tags // ldap, multi-master replication, sso, VCSA, vcva, vdcpromo, vSphere 5.5

Search

Thank Author

Author

William is Distinguished Platform Engineering Architect in the VMware Cloud Foundation (VCF) Division at Broadcom. His primary focus is helping customers and partners build, run and operate a modern Private Cloud using the VMware Cloud Foundation (VCF) platform.

Connect

  • Bluesky
  • Email
  • GitHub
  • LinkedIn
  • Mastodon
  • Reddit
  • RSS
  • Twitter
  • Vimeo

Recent

  • Programmatically accessing the Broadcom Compatibility Guide (BCG) 05/06/2025
  • Quick Tip - Validating Broadcom Download Token  05/01/2025
  • Supported chipsets for the USB Network Native Driver for ESXi Fling 04/23/2025
  • vCenter Identity Federation with Authelia 04/16/2025
  • vCenter Server Identity Federation with Kanidm 04/10/2025

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2025

 

Loading Comments...