VMware Cloud Community
csilaser
Contributor
Contributor

Edit AD over LDAP via CLI

Hi All,

We have few VCenters configured with AD over LDAP.

When the username configured there is changing [it happens each 6 months], we should go over each VCenter, and go to the Identity Source, and update the username's password.

We want to make some script that will do it.

 

Do you know if there is/what is the command to edit the username's password here :

Reply
0 Kudos
13 Replies
LucD
Leadership
Leadership

Can you see the provider when you runt the Invoke-ListIdentityProviders cmdlet?
This requires a recent PowerCLI version


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
csilaser
Contributor
Contributor

Hi LucD,

No, actually when running it I don't get any output...

 

1. Maybe I should install older PowerCLI ?

2. I saw this page : https://kb.vmware.com/s/article/67304

Under section "Adding AD over LDAP" - I saw that there is command to add it, so now I wonder if there is one to edit, or maybe I can remove & add it anytime the password changes. [but, I'll loose the permissions for items that already have permissions...]

Reply
0 Kudos
LucD
Leadership
Leadership

No, in fact, I tested several options just now, and it seems the REST API com.vmware.vcenter.identity.providers.list() doesn't return anything.
Even the API Explorer in the H5 client returns nothing.
I suspect something might be wrong with that REST API (at least in vSphere 7.0.3 which I'm currently using).

If you are on vSphere 6.5 or 6.7 you might try the script from the KB, but it will be a remove/add operation as far as I can tell.
With the REST API one should be able to actually update an existing identity source.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
b1gerhardt
VMware Employee
VMware Employee

The most direct path currently is to re-configure the identity source. You can do this via CLI using sso-config.sh

See https://kb.vmware.com/s/article/67304

Barry Gerhardt R&D Manager, vCenter SSO Stack
Reply
0 Kudos
b1gerhardt
VMware Employee
VMware Employee

If the VC is configured for AD over LDAP, then you are using an IDENTITY SOURCE with the built-in identity provider.

The REST API returns the list of external IDENTITY PROVIDERS configured. So, an empty result is correct.

Configure vCenter to federate with ADFS and try the API again. It will return the ADFS configuration information.

Barry Gerhardt R&D Manager, vCenter SSO Stack
Reply
0 Kudos
LucD
Leadership
Leadership

@b1gerhardt thanks for that feedback.

On a side note, the word 'external' might perhaps be included in the documentation of the REST API.
There it states "Retrieve all identity providers."


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
csilaser
Contributor
Contributor

Hi,

Re-configure won't be good for us. but thanks for the assistant

 

the REST API, if it was possible, sounded like it was directly what we needed....

Reply
0 Kudos
salcinad
Enthusiast
Enthusiast

Maybe you could use the "VMware.vSphere.SsoAdmin" for that. We are also using LDAP and need to change DCs Certificates once a Year.

 

Import-Module -Name VMware.vSphere.SsoAdmin

Connect-SsoAdminServer -Server fqdn

# replace DCs Certificate
Get-IdentitySource -External | select * | Out-GridView
Get-IdentitySource -External | where {$_.Name -eq "somedomain"} | Set-LDAPIdentitySource -Certificates 'C:\certs\dc01.cer','C:\certs\dc02.cer' 

 

If this feature is missing you could request one: https://github.com/vmware/PowerCLI-Example-Scripts/issues?q=is%3Aissue+is%3Aopen+VMware.vSphere.SsoA...

Reply
0 Kudos
LucD
Leadership
Leadership

I think you haven't noticed the earlier reply stating "The REST API returns the list of external IDENTITY PROVIDERS"
If the API doesn't provide the option, asking for a new feature in the SSOAdmin module will not help I'm afraid.
This would require a change in the REST API


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
salcinad
Enthusiast
Enthusiast

I did miss that indeed, but the picture in first post indicated that vCSA use Identity Source "Identity Source Type: Active Directory over LDAP" and this one gets listed by using "Get-IdentitySource -External" with VMware.vSphere.SsoAdmin Module. Even if the Set-LDAPIdentitySource does not have Password option for used User, you could always delete and re-add same source, just make sure that "Domain" and "Aliase" are same as they were before. No need to re add Permissions etc. This is how we migrated from IWA to LDAPs.

Reply
0 Kudos
LucD
Leadership
Leadership

As the previous reply also stated, the AD over LDAP is NOT an external identity source.
It works for ADFS but not for AD over LDAP


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
salcinad
Enthusiast
Enthusiast

Maybe I just don't understand what is going on here and that first post is completely different from other post, but for us it works just fine with "AD over LDAP" as Identity Source, we do not have ADFS or something..

 

Get-IdentitySource -Server $vcsso -External


Type                   : ActiveDirectory
Alias                  : 
AuthenticationType     : PASSWORD
AuthenticationUsername : someuser@somedomain.com
FriendlyName           : somedomain.com
PrimaryUrl             : ldaps:/DC01_FQDN:3269
FailoverUrl            : ldaps://DC02_FQND:3269
UserBaseDN             : dc=somedomain,dc=com
GroupBaseDN            : dc=somedomain,dc=com
Certificates           : {[Subject] ...
Name                   : somedomain.com

 

 

Reply
0 Kudos
csilaser
Contributor
Contributor

 

thanks for that

I'll try it next week

Reply
0 Kudos