Automation

 View Only
Expand all | Collapse all

Edit AD over LDAP via CLI

  • 1.  Edit AD over LDAP via CLI

    Posted Dec 20, 2022 10:39 AM
      |   view attached

    Hi All,

    We have few VCenters configured with AD over LDAP.

    When the username configured there is changing [it happens each 6 months], we should go over each VCenter, and go to the Identity Source, and update the username's password.

    We want to make some script that will do it.

     

    Do you know if there is/what is the command to edit the username's password here :



  • 2.  RE: Edit AD over LDAP via CLI

    Posted Dec 20, 2022 11:23 AM

    Can you see the provider when you runt the Invoke-ListIdentityProviders cmdlet?
    This requires a recent PowerCLI version



  • 3.  RE: Edit AD over LDAP via CLI

    Posted Dec 20, 2022 12:10 PM

    Hi LucD,

    No, actually when running it I don't get any output...

     

    1. Maybe I should install older PowerCLI ?

    2. I saw this page : https://kb.vmware.com/s/article/67304

    Under section "Adding AD over LDAP" - I saw that there is command to add it, so now I wonder if there is one to edit, or maybe I can remove & add it anytime the password changes. [but, I'll loose the permissions for items that already have permissions...]



  • 4.  RE: Edit AD over LDAP via CLI

    Posted Dec 20, 2022 12:29 PM

    No, in fact, I tested several options just now, and it seems the REST API com.vmware.vcenter.identity.providers.list() doesn't return anything.
    Even the API Explorer in the H5 client returns nothing.
    I suspect something might be wrong with that REST API (at least in vSphere 7.0.3 which I'm currently using).

    If you are on vSphere 6.5 or 6.7 you might try the script from the KB, but it will be a remove/add operation as far as I can tell.
    With the REST API one should be able to actually update an existing identity source.



  • 5.  RE: Edit AD over LDAP via CLI

    Broadcom Employee
    Posted Dec 21, 2022 07:41 PM

    If the VC is configured for AD over LDAP, then you are using an IDENTITY SOURCE with the built-in identity provider.

    The REST API returns the list of external IDENTITY PROVIDERS configured. So, an empty result is correct.

    Configure vCenter to federate with ADFS and try the API again. It will return the ADFS configuration information.



  • 6.  RE: Edit AD over LDAP via CLI

    Posted Dec 21, 2022 09:43 PM

     thanks for that feedback.

    On a side note, the word 'external' might perhaps be included in the documentation of the REST API.
    There it states "Retrieve all identity providers."



  • 7.  RE: Edit AD over LDAP via CLI

    Broadcom Employee
    Posted Dec 21, 2022 07:37 PM

    The most direct path currently is to re-configure the identity source. You can do this via CLI using sso-config.sh

    See https://kb.vmware.com/s/article/67304



  • 8.  RE: Edit AD over LDAP via CLI

    Posted Jan 05, 2023 12:54 PM

    Hi,

    Re-configure won't be good for us. but thanks for the assistant

     

    the REST API, if it was possible, sounded like it was directly what we needed....



  • 9.  RE: Edit AD over LDAP via CLI

    Posted Jan 05, 2023 01:19 PM

    Maybe you could use the "VMware.vSphere.SsoAdmin" for that. We are also using LDAP and need to change DCs Certificates once a Year.

     

     

    If this feature is missing you could request one: https://github.com/vmware/PowerCLI-Example-Scripts/issues?q=is%3Aissue+is%3Aopen+VMware.vSphere.SsoAdmin



  • 10.  RE: Edit AD over LDAP via CLI

    Posted Jan 05, 2023 01:34 PM

    I think you haven't noticed the earlier reply stating "The REST API returns the list of external IDENTITY PROVIDERS"
    If the API doesn't provide the option, asking for a new feature in the SSOAdmin module will not help I'm afraid.
    This would require a change in the REST API



  • 11.  RE: Edit AD over LDAP via CLI

    Posted Jan 05, 2023 01:46 PM

    I did miss that indeed, but the picture in first post indicated that vCSA use Identity Source "Identity Source Type: Active Directory over LDAP" and this one gets listed by using "Get-IdentitySource -External" with VMware.vSphere.SsoAdmin Module. Even if the Set-LDAPIdentitySource does not have Password option for used User, you could always delete and re-add same source, just make sure that "Domain" and "Aliase" are same as they were before. No need to re add Permissions etc. This is how we migrated from IWA to LDAPs.



  • 12.  RE: Edit AD over LDAP via CLI

    Posted Jan 05, 2023 02:29 PM

    As the previous reply also stated, the AD over LDAP is NOT an external identity source.
    It works for ADFS but not for AD over LDAP



  • 13.  RE: Edit AD over LDAP via CLI

    Posted Jan 05, 2023 02:36 PM

    Maybe I just don't understand what is going on here and that first post is completely different from other post, but for us it works just fine with "AD over LDAP" as Identity Source, we do not have ADFS or something..

     

     

     



  • 14.  RE: Edit AD over LDAP via CLI

    Posted Jan 05, 2023 03:03 PM

     

    thanks for that

    I'll try it next week