Hi All,
We have few VCenters configured with AD over LDAP.
When the username configured there is changing [it happens each 6 months], we should go over each VCenter, and go to the Identity Source, and update the username's password.
We want to make some script that will do it.
Do you know if there is/what is the command to edit the username's password here :
Can you see the provider when you runt the Invoke-ListIdentityProviders cmdlet?
This requires a recent PowerCLI version
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Hi LucD,
No, actually when running it I don't get any output...
1. Maybe I should install older PowerCLI ?
2. I saw this page : https://kb.vmware.com/s/article/67304
Under section "Adding AD over LDAP" - I saw that there is command to add it, so now I wonder if there is one to edit, or maybe I can remove & add it anytime the password changes. [but, I'll loose the permissions for items that already have permissions...]
No, in fact, I tested several options just now, and it seems the REST API com.vmware.vcenter.identity.providers.list() doesn't return anything.
Even the API Explorer in the H5 client returns nothing.
I suspect something might be wrong with that REST API (at least in vSphere 7.0.3 which I'm currently using).
If you are on vSphere 6.5 or 6.7 you might try the script from the KB, but it will be a remove/add operation as far as I can tell.
With the REST API one should be able to actually update an existing identity source.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
The most direct path currently is to re-configure the identity source. You can do this via CLI using sso-config.sh
See https://kb.vmware.com/s/article/67304
If the VC is configured for AD over LDAP, then you are using an IDENTITY SOURCE with the built-in identity provider.
The REST API returns the list of external IDENTITY PROVIDERS configured. So, an empty result is correct.
Configure vCenter to federate with ADFS and try the API again. It will return the ADFS configuration information.
@b1gerhardt thanks for that feedback.
On a side note, the word 'external' might perhaps be included in the documentation of the REST API.
There it states "Retrieve all identity providers."
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Hi,
Re-configure won't be good for us. but thanks for the assistant
the REST API, if it was possible, sounded like it was directly what we needed....
Maybe you could use the "VMware.vSphere.SsoAdmin" for that. We are also using LDAP and need to change DCs Certificates once a Year.
Import-Module -Name VMware.vSphere.SsoAdmin
Connect-SsoAdminServer -Server fqdn
# replace DCs Certificate
Get-IdentitySource -External | select * | Out-GridView
Get-IdentitySource -External | where {$_.Name -eq "somedomain"} | Set-LDAPIdentitySource -Certificates 'C:\certs\dc01.cer','C:\certs\dc02.cer'
If this feature is missing you could request one: https://github.com/vmware/PowerCLI-Example-Scripts/issues?q=is%3Aissue+is%3Aopen+VMware.vSphere.SsoA...
I think you haven't noticed the earlier reply stating "The REST API returns the list of external IDENTITY PROVIDERS"
If the API doesn't provide the option, asking for a new feature in the SSOAdmin module will not help I'm afraid.
This would require a change in the REST API
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
I did miss that indeed, but the picture in first post indicated that vCSA use Identity Source "Identity Source Type: Active Directory over LDAP" and this one gets listed by using "Get-IdentitySource -External" with VMware.vSphere.SsoAdmin Module. Even if the Set-LDAPIdentitySource does not have Password option for used User, you could always delete and re-add same source, just make sure that "Domain" and "Aliase" are same as they were before. No need to re add Permissions etc. This is how we migrated from IWA to LDAPs.
As the previous reply also stated, the AD over LDAP is NOT an external identity source.
It works for ADFS but not for AD over LDAP
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Maybe I just don't understand what is going on here and that first post is completely different from other post, but for us it works just fine with "AD over LDAP" as Identity Source, we do not have ADFS or something..
Get-IdentitySource -Server $vcsso -External
Type : ActiveDirectory
Alias :
AuthenticationType : PASSWORD
AuthenticationUsername : someuser@somedomain.com
FriendlyName : somedomain.com
PrimaryUrl : ldaps:/DC01_FQDN:3269
FailoverUrl : ldaps://DC02_FQND:3269
UserBaseDN : dc=somedomain,dc=com
GroupBaseDN : dc=somedomain,dc=com
Certificates : {[Subject] ...
Name : somedomain.com
thanks for that
I'll try it next week