To update the sso-config.sh script on vSphere 6.5 and 6.7, the vmware-identity-sso-config.jar file on the PSC must be replaced with the one made available through this KB article. This file will be overwritten during patching of the PSC, and the process will need to be repeated if configuration of identity source via the command line is desired again.
Note: Starting version 7.0, this functionality is added as default and the users will not need to use the attached file.
Download the vmware-identity-sso-config.jar file located in the attachments section of this KB article and move it to the appliance.
For instructions on using WinSCP to upload files to the PSC, reference the article, Error when uploading files to vCenter Server Appliance using WinSCP
Once uploaded, replace the existing jar file:
NOTE: Do not leave the original vmware-identity-sso-config.jar file in the /opt/vmware/lib64/ directory with a .jar extension, even if it has been renamed. This will cause namespace issues within java.
The commands below are only examples. Portions which are highlighted in RED denote variables that must be changed to match your desired configuration.
View current configured identity sources
sso-config.sh -get_identity_sources
Remove configured identity sources
sso-config.sh -delete_identity_source -i identityStoreName
Adding Active Directory (Windows Integrated Authentication)
Using this command, vSphere will connect with and use current domain that it is joined with as an Identity Source. vSphere needs to be joined to the AD domain prior to this operation.
sso-config.sh -add_identity_source -type nativead -domain domain.example
Adding AD over LDAP
Using this command, we can add AD over LDAP as an Identity Source. The information provided will describe a given AD to vSphere. For this operation, vSphere does not need to be joined to the domain.
This command illustrates adding the identity source with only a primary domain controller
sso-config.sh -add_identity_source -type adldap -baseUserDN "CN=Users,DC=domain,DC=example" -baseGroupDN "CN=Groups,DC=domain,DC=example" -domain "domain.example" -alias "DOMAIN" -username "CN=Administrator,CN=Users,DC=domain,DC=example" -password 'password' -primaryURL "ldap://dc.domain.example:389"
This variation illustrates the use of specifying a primary and a secondary domain controller
sso-config.sh -add_identity_source -type adldap -baseUserDN "CN=Users,DC=domain,DC=example" -baseGroupDN "CN=Groups,DC=domain,DC=example" -domain "domain.example" -alias "DOMAIN" -username "CN=Administrator,CN=Users,DC=domain,DC=example" -password 'password' -primaryURL "ldap://dc.domain.example:389" -secondaryURL "ldap://dc2.domain.example:389"
Adding AD over LDAP using LDAPS (LDAP over SSL)
This command illustrates the use of specifying a domain or FQDN, but connecting to it over a secure connection. For secure connection to work, a public key or SSL certificate from AD needs to be provided in the command. It can be the individual SSL certificate for each DC server, or a global certificate to which all individual SSL certs chain up to. The -sslCert argument is a comma separated list of paths to individual cer files.
sso-config.sh -add_identity_source -type adldap -baseUserDN "CN=Users,DC=domain,DC=example" -baseGroupDN "CN=Groups,DC=domain,DC=example" -domain "domain.exmaple" -alias "DOMAIN" -username "CN=administrator,CN=users,DC=domain,DC=example" -password 'password' -primaryURL "ldaps://dc2.domain.example:636" -useSSL true -sslCert ~/dc2.domain.example.cer,~/dc1.domain.example.cer
Adding Open LDAP
Using this command, we can add Open LDAP as an Identity Source. The information provided will describe a LDAP directory to vSphere.
sso-config.sh -add_identity_source -type openldap -baseUserDN "ou=people,dc=domain,dc=example" -baseGroupDN "ou=groups,dc=domain,dc=example" -domain "domain.example" -alias "DOMAIN" -username "cn=ldapuser1,ou=people,dc=domain,dc=example" -password 'password' -primaryURL "ldap://server.domain.exmaple:389"