The dir-cli utility supports creation and updates to solution users, account management, and management of certificates and passwords in VMware Directory Service (vmdir). You can use dir-cli to manage and query the domain functional level of vCenter Server instances.
dir-cli nodes list
Lists all the enhanced linked mode connected vCenter Server systems.
Option | Description |
---|---|
--login <admin_user_id> | The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default. |
--password <admin_password> | Password of the administrator user. If you do not specify the password, you are prompted. |
--server <psc_ip_or_fqdn> | Use this option to connect to another vCenter Server to see its replication partners. |
dir-cli computer password-reset
Enables you to reset the password of the machine account in the domain.
Option | Description |
---|---|
--login <admin_user_id> | The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default. |
--password <admin_password> | Password of the administrator user. If you do not specify the password, you are prompted. |
--live-dc-hostname <server name> | Current name of the vCenter Server instance. |
dir-cli service create
Creates a solution user. Primarily used by third-party solutions.
Option | Description |
---|---|
--name <name> | Name of the solution user to create |
--cert <cert file> | Path to the certificate file. This can be a certificate signed by VMCA or a third-party certificate. |
--ssogroups <comma-separated-groupnames> | Makes the solution user a member of the specified groups. |
--wstrustrole <ActAsUser> | Makes the solution user a member of the built-in administrators or users group. In other words, determines whether the solution user has administrative privileges. |
--ssoadminrole <Administrator/User> | Makes the solution user a member of the ActAsUser group. The ActAsUser role enables users to act on behalf of other users. |
--login <admin_user_id> | The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default. |
--password <admin_password> | Password of the administrator user. If you do not specify the password, you are prompted. |
dir-cli service list
List the solution users that dir-cli knows about.
Option | Description |
---|---|
--login <admin_user_id> | The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default. |
--password <admin_password> | Password of the administrator user. If you do not specify the password, you are prompted. |
dir-cli service delete
Delete a solution user in vmdir. When you delete the solution user, all associated services become unavailable to all management nodes that use this instance of vmdir.
Option | Description |
---|---|
--name | Name of the solution user to delete. |
--login <admin_user_id> | The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default. |
--password <admin_password> | Password of the administrator user. If you do not specify the password, you are prompted. |
dir-cli service update
Updates the certificate for a specified solution user, that is, collection of services. After running this command, update the solution user certificate entry in VECS by running the vecs-cli entry create command. See vecs-cli Command Reference.
Option | Description |
---|---|
--name <name> | Name of the solution user to update . |
--cert <cert_file> | Name of the certificate to assign to the service. |
--login <admin_user_id> | The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default. |
--password <admin_password> | Password of the administrator user. If you do not specify the password, you are prompted. |
dir-cli user create
Creates a regular user inside vmdir. This command can be used for human users who authenticate to vCenter Single Sign-On with a user name and password. Use this command only during prototyping.
Option | Description |
---|---|
--account <name> | Name of the vCenter Single Sign-On user to create. |
--user-password <password> | Initial password for the user. |
--first-name <name> | First name for the user. |
--last-name <name> | Last name for the user. |
--login <admin_user_id> | The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default. |
--password <admin_password> | Password of the administrator user. If you do not specify the password, you are prompted. |
dir-cli user modify
Modifies the specified user inside vmdir.
Option | Description |
---|---|
--account <name> | Name of the vCenter Single Sign-On user to modify. |
--password-never-expires | Set this option to true if you are modifying a user account for automated tasks that have to authenticate to vCenter Server, and you want to ensure that the tasks do not stop running because of password expiration. Use this option with care. |
--password-expires | Set this option to true if you want to revert the --password-never-expires option. |
--login <admin_user_id> | The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default. |
--password <admin_password> | Password of the administrator user. If you do not specify the password, you are prompted. |
dir-cli user delete
Deletes the specified user inside vmdir.
Option | Description |
---|---|
--account <name> | Name of the vCenter Single Sign-On user to delete. |
--login <admin_user_id> | The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default. |
--password <admin_password> | Password of the administrator user. If you do not specify the password, you are prompted. |
dir-cli user find-by-name
Finds a user inside vmdir by name. The information that this command returns depends on what you specify in the --level option.
Option | Description |
---|---|
--account <name> | Name of the vCenter Single Sign-On user to find. |
--level <info level 0|1|2> | Returns the following information:
The default level is 0. |
--login <admin_user_id> | The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default. |
--password <admin_password> | Password of the administrator user. If you do not specify the password, you are prompted. |
dir-cli group modify
Option | Description |
---|---|
--name <name> | Name of the group in vmdir. |
--add <user_or_group_name> | Name of the user or group to add. |
--login <admin_user_id> | The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default. |
--password <admin_password> | Password of the administrator user. If you do not specify the password, you are prompted. |
dir-cli group list
Option | Description |
---|---|
--name <name> | Optional name of the group in vmdir. This option allows you to check whether a specific group exists. |
--login <admin_user_id> | The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default. |
--password <admin_password> | Password of the administrator user. If you do not specify the password, you are prompted. |
dir-cli ssogroup create
Create a group inside the local domain (vsphere.local by default).
Use this command if you want to create groups to manage user permissions for the vCenter Single Sign-On domain. For example, if you create a group and then add it to the Administrators group of the vCenter Single Sign-On domain, then all users that you add to that group have administrator permissions for the domain.
It is also possible to give permissions to vCenter inventory objects to groups in the vCenter Single Sign-On domain. See the vSphere Security documentation.
Option | Description |
---|---|
--name <name> | Name of the group in vmdir. Maximum length is 487 characters. |
--description <description> | Optional description for the group. |
--login <admin_user_id> | The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default. |
--password <admin_password> | Password of the administrator user. If you do not specify the password, you are prompted. |
dir-cli trustedcert publish
Publishes a trusted root certificate to vmdir. After running this command, VECS picks up the certificate change after one minute, or you can run the vecs-cli force-refresh command to sync the certificate immediately.
Option | Description |
---|---|
--cert <file> | Path to certificate file. |
--crl <file> | This option is not supported by VMCA. |
--login <admin_user_id> | The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default. |
--password <admin_password> | Password of the administrator user. If you do not specify the password, you are prompted. |
--chain | Specify this option if you are publishing a chained certificate. No option value is needed. |
dir-cli trustedcert unpublish
Unpublishes a trusted root certificate currently in vmdir. Use this command, for example, if you added a different root certificate to vmdir that is now the root certificate for all other certificates in your environment. Unpublishing certificates that are no longer in use is part of hardening your environment.
Option | Description |
---|---|
--cert-file <file> | Path to the certificate file to unpublish |
--login <admin_user_id> | The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default. |
--password <admin_password> | Password of the administrator user. If you do not specify the password, you are prompted. |
dir-cli trustedcert list
Lists all trusted root certificates and their corresponding IDs. You need the certificate IDs to retrieve a certificate with dir-cli trustedcert get.
Option | Description |
---|---|
--login <admin_user_id> | The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default. |
--password <admin_password> | Password of the administrator user. If you do not specify the password, you are prompted. |
dir-cli trustedcert get
Retrieves a trusted root certificate from vmdir and writes it to a specified file.
Option | Description |
---|---|
--id <cert_ID> | ID of the certificate to retrieve. The dir-cli trustedcert list command shows the ID. |
--outcert <path> | Path to write the certificate file to. |
--outcrl <path> | Path to write the CRL file to. Not currently used. |
--login <admin_user_id> | The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default. |
--password <admin_password> | Password of the administrator user. If you do not specify the password, you are prompted. |
dir-cli password create
Option | Description |
---|---|
--login <admin_user_id> | The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default. |
--password <admin_password> | Password of the administrator user. If you do not specify the password, you are prompted. |
dir-cli password reset
Option | Description |
---|---|
--account | Name of the account to assign a new password to. |
--new | New password for the specified user. |
--login <admin_user_id> | The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default. |
--password <admin_password> | Password of the administrator user. If you do not specify the password, you are prompted. |
dir-cli password change
Option | Description |
---|---|
--account | Account name. |
--current | Current password of the user who owns the account. |
--new | New password of the user who owns the account. |