Has anyone been able to script this part of a VCSA 6.5 deployment? Ideally I'd like to add it to Active Directory and set the domain identity source as the default domain.
For completeness I was able to find a solution to this by referencing the below two KB articles. Even though one of the articles doesn't mention it applies to 6.5, it's still valid:
UPDATE 26/3/2018: If you've got an external PSC then you will need to run the below on the PSC not on the vCenter VM
cd /usr/lib/vmidentity/tools/scripts/
./sso-add-native-ad-idp.sh test.com
Create a file /tmp/ad.txt with the below contents:
dn: cn=vsphere.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vsphere,dc=local
changetype: modify
replace: vmwSTSDefaultIdentityProvider
vmwSTSDefaultIdentityProvider: test.com
-
Then run ldapmodify command and enter the administrator SSO password
/opt/likewise/bin/ldapmodify -f /tmp/ad.txt -h localhost -p 11711 -D "cn=Administrator,cn=Users,dc=vsphere,dc=local" -W
For completeness I was able to find a solution to this by referencing the below two KB articles. Even though one of the articles doesn't mention it applies to 6.5, it's still valid:
UPDATE 26/3/2018: If you've got an external PSC then you will need to run the below on the PSC not on the vCenter VM
cd /usr/lib/vmidentity/tools/scripts/
./sso-add-native-ad-idp.sh test.com
Create a file /tmp/ad.txt with the below contents:
dn: cn=vsphere.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vsphere,dc=local
changetype: modify
replace: vmwSTSDefaultIdentityProvider
vmwSTSDefaultIdentityProvider: test.com
-
Then run ldapmodify command and enter the administrator SSO password
/opt/likewise/bin/ldapmodify -f /tmp/ad.txt -h localhost -p 11711 -D "cn=Administrator,cn=Users,dc=vsphere,dc=local" -W
Hi Could you elaborate how this worked for you in 6.5?
The
cd /usr/lib/vmidentity/tools/scripts/
./sso-add-native-ad-idp.sh test.com
Doesn't exist.
Downloading the files won't work as it misses some other files in /vmware-upgrades/
The only part that work is setting default identity source but it requires that identity source to be added beforehand in Web client.
Another couple of posts - still no answer:
how to change default domains identity source with CLi( command line)
Re: Add vCenter 6.5 Identity Source via PowerCLI or Command line
Thanks!
I ended up writing a powershell script to log in to the PSC and actually add the source. It's not the cleanest, but it works.
good luck. (just updated one part).
Powershell:
$ie = New-Object -com InternetExplorer.Application
$ie.visible=$false
$ie.navigate("https://<FQDN of PSC>/psc/")
while($ie.ReadyState -ne 4) {start-sleep -m 100}
while($ie.document.ReadyState -ne "complete") {start-sleep -m 100}
$ie.document.getElementById("username").value = '<SSO Admin User>'
$ie.document.getElementById("password").value = '<SSO Admin Password>'
$ie.document.getElementById("submit").Disabled = $false
$ie.document.getElementById("submit").click()
start-sleep 10
$ie.navigate("https://<FQDN of PSC>/psc/#?extensionId=sso.identity.sources.extension")
$ca = $ie.document.documentElement.getElementsByClassName('vui-action-label ng-binding ng-scope') | select -first 1
$ca.click()
$ie.document.getElementById("adType").click()
$ca = $ie.document.documentElement.getElementsByClassName('ng-binding') | ?{$_.innerHTML -eq "OK"}
$ca.click()
$ie.quit()
Thanks @agentvan
Looks like I found a simpler workaround. (that can be used with orchestration!)
Unfortunately there isn’t any official supported way to Automate PSC AD Integrated identity source in VCSA 6.5u1
In the past in v5.5 / 6.0 or 6.5 that was possible using sso-add-native-ad-idp.sh and sso_import.sh however for some reason those utilities are no longer present in 6.5u1 image.
I've documented the workaround in on my blog: http://www.virtualflow.net/2018/03/vcsa-6-5u1-ad-integrated-identity-source-automation/