hi, recently I moved my lab to the basement so I can dig a little deeper in the infrastructure and connection.
At first glance, I took the RBAC (Role-based access control). Based on the documentation from vRA, I created a map of what groups should be in the environment
there is a bit of it so we can click it, but I made a simple script that will create it for me in AD
for sure you can write it better but the script does its job and you can find it on my GITHub
ok we have set up groups in AD and now what.
vRA uses a connection to the vIDM to provide authentication. So I started looking for an API for vIDM.
Unfortunately it is terribly complicated because vmware on its website https://developer.vmware.com/apis
unfortunately, it does not have a well-described API.
So I started doing reverse engineering
First of all, we need to be able to connect to the vIDM, it turned out to be the easiest one because I created a new profile that I will authenticate with and I will use it to download the token
to create such a profile, go to catalog-> settings
in Remote App Access, click Create Client
As Access Type we need to choos Service Client Token
as client ID we are putting our name which will be used
in Shared Secret we can setup our own pass or generate Shared Secret
and that’s where the easy part is over
We can divide the adding of active directory into the following parts
- generating a Token
- finding the Connector ID that will be used
- creating a new directory (AD)
- assigning our directory to a connector
- find all existing groups in AD
- adding groups to directory
What was the most difficult for me is that each action requires different headers as well as the url is not fully available to the public
I tested each part in postman and then I tried to create a script that will add groups previously created in AD to the directory
I will not write here about each step of the script, you can also find it on my GITHub
However, I am happy with the action because it does for me what I would have to excuse,
Only part of the vRA is left to do, but AD and vIDM work, if you have any questions about the script or some thoughts, I am at your disposal.
The article is short, however, it seems to me that the content may be useful personally I searched a large part of the Internet and did not find this information
You can use the script in any way you want, but remember to keep the information about the original creator.
My small note to the script, if you will change groups, you must remember to always download the existing ones because API call overwrites the current configuration