WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud
  • Tanzu
    • Application Modernization
    • Tanzu services
    • Tanzu Community Edition
    • Tanzu Kubernetes Grid
    • vSphere with Tanzu
  • Home Lab
  • Nested Virtualization
  • Apple

Quick Tip - How to check password expiry for a specific vSphere SSO user?

06.04.2021 by William Lam // 1 Comment

The default password expiry for vSphere Single-Sign On (SSO) users within the vCenter Server Appliance (VCSA) is 90 days and this of course be changed to match your organizations policy. Although the vSphere UI can remind you right before your password expires, you may want to manually check or proactively inventory this information periodically.

To do so, you will need to SSH to the VCSA and use the dir-cli command with --level 2 option to get additional details for a given vSphere SSO user as shown in the example below:

/usr/lib/vmware-vmafd/bin/dir-cli user find-by-name --account william --level 2
Account: william
UPN: william[a]VSPHERE.LOCAL
Account disabled: FALSE
Account locked: FALSE
Password never expires: FALSE
Password expired: FALSE
Password expiry: 8916 day(s) 2 hour(s) 39 minute(s) 30 second(s)

In this particular environment, I have the vSphere SSO password expiry configured to 9000 days and as we can see for this user, there is ~8916 days left before the password expires.

For those looking to automate this, it looks like this is currently only possible using dir-cli but I have submitted a feature request to the recently released PowerCLI vSphere SSO Module to see if this information can also be included in the Get-SsoPersonUser cmdlet. If you need to retrieve the current configured vSphere SSO password expiry, you can use ldapsearch command within the VCSA or the Get-SsoPasswordPolicy cmdlet.

Categories // Automation, vSphere Tags // dir-cli, sso

PowerCLI Module for managing vCenter Single Sign-On (SSO)

10.05.2020 by William Lam // 8 Comments

A few years back I had submitted a PowerCLI Feature Request (PCLI-44) via the public PowerCLI Ideas platform requesting for a PowerCLI module that would support vCenter Single Sign-On (SSO) Administrative functionality such as managing SSO Users, Groups, Password, Lockout Policy and Identity Sources.


This was one of the most popular Idea voted by the PowerCLI community, which also stressed the need for such functionality which I came across on a regular basis on some of the Automation I was writing. In the past, I have written numerous blog articles in working around this limitation as the vCenter SSO Admin APIs were not and leveraging Guest Operations API, one could still automate various SSO operations using the various SSO CLIs that is included within the vCenter Server Appliance (VCSA).

Today, I received a notification from the PowerCLI Ideas platform that this feature as "Shipped" and it looks like the PowerCLI team has just released an Open Source Module called VMware.vSphere.SsoAdmin that includes the following 12 cmdlets:

  • Add-ActiveDirectoryIdentitySource
  • Add-GroupToSsoGroup
  • Add-LDAPIdentitySource
  • Add-UserToSsoGroup
  • Connect-SsoAdminServer
  • Disconnect-SsoAdminServer
  • Get-IdentitySource
  • Get-SsoAuthenticationPolicy
  • Get-SsoGroup
  • Get-SsoLockoutPolicy
  • Get-SsoPasswordPolicy
  • Get-SsoPersonUser
  • Get-SsoTokenLifetime
  • New-SsoGroup
  • New-SsoPersonUser
  • Remove-GroupFromSsoGroup
  • Remove-IdentitySource
  • Remove-SsoGroup
  • Remove-SsoPersonUser
  • Remove-UserFromSsoGroup
  • Set-LDAPIdentitySource
  • Set-SsoAuthenticationPolicy
  • Set-SsoGroup
  • Set-SsoLockoutPolicy
  • Set-SsoPasswordPolicy
  • Set-SsoPersonUser
  • Set-SsoSelfPersonUserPassword
  • Set-SsoTokenLifetime

To get started with the new PowerCLI SSO Module, take a look at the instructions below.

[Read more...]

Categories // Automation, PowerCLI, vSphere Tags // PowerCLI, sso

Using PowerCLI to automate the retrieval of VCSA Password Policies

02.06.2020 by William Lam // Leave a Comment

I hope that every vSphere administrator or operator by now is familiar with the extremely powerful vSphere Guest Operations API functionality (details here and here), which can easily be consumed using PowerCLI's Invoke-VMScript cmdlet. If not, highly recommend you check out the links referenced. I know the GuestOps API is certainly my top favorite with sending VM keystrokes capability a very close second!

Not only does the GuestOps API unlock functionality that simply may not be possible (e.g. there's no API or automation interface) but it also enables automation within a VM without requiring any type of remote management services enabled (e.g. SSH or WinRM) or even networking to the VM for that matter!

The reason I am bringing all this up is that although there is not an API for managing and retrieving vCenter Single Sign-On (SSO) configurations which includes password policies, there is a way in which customers can still automate and retrieve this and other information by leveraging the GuestOps API. In fact, back in 2015 I demonstrated on how you can retrieve VCSA SSO password policy and configurations and we can simply apply the GuestOps API to help us automate this task. In addition, most customers do not enable SSH by default and we can still apply the GuestOps API technique and perform automation tasks to VSCSA without requiring SSH as described in this blog post back in 2016.

[Read more...]

Categories // Automation, VCSA Tags // expiry, sso, vcenter server appliance, vcsa

  • 1
  • 2
  • 3
  • …
  • 11
  • Next Page »

Search

Author

William Lam is a Senior Staff Solution Architect working in the VMware Cloud team within the Cloud Infrastructure Business Group (CIBG) at VMware. He focuses on Cloud Native technologies, Automation, Integration and Operation for the VMware Cloud based Software Defined Datacenters (SDDC)

Connect

  • Email
  • GitHub
  • LinkedIn
  • RSS
  • Twitter
  • Vimeo

Recent

  • Changing the default HTTP(s) Reverse Proxy Ports on ESXi 8.0 03/22/2023
  • Quick Tip - How to download ESXi ISO image for all releases including patch updates? 03/15/2023
  • SSD with multiple NVMe namespaces for VMware Homelab 03/14/2023
  • Is my vSphere Cluster managed by vSphere Lifecycle Manager (vLCM) as a Desired Image or Baseline? 03/10/2023
  • Interesting VMware Homelab Kits for 2023 03/08/2023

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2023

 

Loading Comments...