VMware {code} Community
wallakyl
Enthusiast
Enthusiast
‎05-26-2010 03:05 PM
Jump to solution

Managed Object Browser - can I authenticate with AD?

I have been looking through the documentation and it doesn't and playing around with ESX, and it seems I need a local account in order to login to https://ESX-HostName/MOB.

Does anyone know if it is possible to set this up for AD authentication? I need to give someone access to the MOB on all my hosts. I have a lot of hosts and I don't want to go adding a single user to each one.

I already have AD auth working for shell access, but that doesn't work for the MOB.

0 Kudos
1 Solution

Accepted Solutions
lamw
Community Manager
Community Manager
‎05-26-2010 03:28 PM
Jump to solution

afaik, it's a local account only.

=========================================================================

William Lam

VMware vExpert 2009

VMware ESX/ESXi scripts and resources at:

Twitter: @lamw

VMware Code Central - Scripts/Sample code for Developers and Administrators

VMware Developer Community

If you find this information useful, please award points for "correct" or "helpful".

View solution in original post

0 Kudos
6 Replies
lamw
Community Manager
Community Manager
‎05-26-2010 03:28 PM
Jump to solution

afaik, it's a local account only.

=========================================================================

William Lam

VMware vExpert 2009

VMware ESX/ESXi scripts and resources at:

Twitter: @lamw

VMware Code Central - Scripts/Sample code for Developers and Administrators

VMware Developer Community

If you find this information useful, please award points for "correct" or "helpful".

0 Kudos
wallakyl
Enthusiast
Enthusiast
‎05-27-2010 06:51 AM
Jump to solution

OK, thank you.

When I give them a local account, if I don't give them any sudo rights, can they change anything through the MOB or is it read-only?

0 Kudos
lamw
Community Manager
Community Manager
‎05-27-2010 09:01 AM
Jump to solution

'sudo' has nothing to do with whether a user can make changes to MOB, so long as the user is in the admin/root group, it'll have permission to do so which may also block basic login access. This is something you'll need to play with by creating a simple user either on the Service Console or using the vSphere Client and trying out various groups and see which will give you expected behavior. Basically, MOB will not auth against AD, it's local

=========================================================================

William Lam

VMware vExpert 2009

VMware ESX/ESXi scripts and resources at:

Twitter: @lamw

VMware Code Central - Scripts/Sample code for Developers and Administrators

VMware Developer Community

If you find this information useful, please award points for "correct" or "helpful".

0 Kudos
wallakyl
Enthusiast
Enthusiast
‎05-27-2010 09:46 AM
Jump to solution

Sorry, let me rephrase.

Say I just create a simple local user in the service console, and I do not modify any groups. If I did that, what can the user do via the MOB? Can they make any changes, or control the host in any way? Or can they just read from it?

Or an even broader question on the MOB...what changes/control can root do via the MOB? I don't really know anything about the MOB - just trying to understand what one can change/control with access to it.

Thanks for your help!

0 Kudos
lamw
Community Manager
Community Manager
‎05-27-2010 09:59 AM
Jump to solution

root has full access to make changes, the MOB is just an internal representation of the vSphere API and it's object inventory layout. It gives a pretty graphical way to browse around and see what the data structures look like and the data that can be retrieved, it's generally used for learning purposes when programming or scripting against the vSphere API.

To your question:

Say I just create a simple local user in the service console, and I do not modify any groups. If I did that, what can the user do via the MOB? Can they make any changes, or control the host in any way? Or can they just read from it?

Try it, should be a pretty simple test and see if you can make some changes like adding a vSwitch or renaming a portgroup. I would suspect it probably has read-only access but I'm not 100% sure. If you're workign with vCenter which is probably the better approach, then you can auth against AD and guarantee the users will have RO access which will allow them to log into vCenter MOB and has more granular permissions but at the host level I think it's either all or nothing.

=========================================================================

William Lam

VMware vExpert 2009

VMware ESX/ESXi scripts and resources at:

Twitter: @lamw

VMware Code Central - Scripts/Sample code for Developers and Administrators

VMware Developer Community

If you find this information useful, please award points for "correct" or "helpful".

0 Kudos
wallakyl
Enthusiast
Enthusiast
‎05-28-2010 10:24 AM
Jump to solution

OK, thanks William.

0 Kudos