vCloud Director Service Library – Change AD Password

vCloud Director version 9.1 introduced the ability to easily create custom services and display them in the new user interface as tiles under Service Library. The services are created in vRealize Orchestrator as workflows and then presented to tenants or system administrators with simple categorization.

The screenshot below shows the Service Library with Backup and User Management categories and some services that I created for demonstration.

The actual feature is not very well documented so I will show on one simple (but useful) example how to implement it.

I am going to create Change LDAP Password service tile. While vCloud Director UI allows changing passwords for local users, users that are imported from integrated LDAP cannot change their password via vCloud Director UI so adding such service actually makes sense.

  • Set up vRealize Orchestrator: as system admin log in into the provider H5 UI (https://<vcd-UI>/provider) and set up connection to external vRealize Orchestrator server (that obviously must be installed and configured first). Note that for this example we will not need any custom plugins. Content Libraries > Library Administration > Service Management > vRO Servers
  • Set up Service Categories in the next menu.
  • Make sure that users have access to the Service Library. This is controlled with new rights under section Additional Services. I have added all three rights to the global Organization Administrator role and also to all existing organizations. You can obviously add them to also less privileged roles. This must be done via vCloud API.
  • Prepare the workflow in the vRealize Orchestrator (vRO). I assume the reader already knows how to create generic vRO workflows so I will not go into too much detail. You must configure the built in Microsoft Active Directory plugin with the Add an Active Directory server configuration workflow.
  • In very high level, the workflow execution will consist of the following steps:
  1. Presentation window to collect Password and confirmPassword values and compare them for validation. Note that I did not succeed using SecureString variables (vCloud Director seems to not support them) and had to use simple string type which results in password being visible on the screen.
  2. Next we will get some custom properties from vCloud Director. You can use four of them: _vcd_orgName, _vcd_orgId, _vdc_userName (sic!) and _vcd_isAdmin. In my Active Director I have the following OU structure for each org:
    Each vCloud Director organization has its own OU under VCD organization unit. The OU name matches the Organization name.
    To get the custom properties you need to create custom action (in my case Load VCD Inputs with the following script):
    As can be see from above screenshot, I only need _vcd_orgName to find the OU and _vdc_userName to find the user account in AD.
  3. The next step is built in getOrganizationUnitFromOrganizationUnit action that can be found under com.vmware.library.microsoft.activeDirectory.  As inputs I am supplying value equal to the container of my parent (VCD) OU and the org name as string. The output is the organization OU.
  4. Now we can find the user object based on org OU and username string. This is done with getUserFromContainer action (again from com.vmware.library.microsoft.activeDirectory).
  5. As mentioned in the beginning I was forced to use String type variable for the password, but the change password action requires Secure String. This simple action will provide the conversion.
  6. The last step is to change the password with setUserPassword action (found in com.vmware.library.microsoft.activeDirectory).
  • Now we can save the workflow and give it a proper description that will be visible to tenants.
  • Back in vCloud Director we can now in the provider UI import the workflow into Service Library. This is done at: Content Libraries > Services > Service Library > Import. Simple wizard will ask for target library (category), source vRO and the workflow.
  • Once a workflow is imported it can be Published to system admins, all or subset of tenants. Find the workflow tile and select Manage.

That is all. Test as tenant logged in with LDAP account in the new H5 UI.

Observe and troubleshoot the workflow execution in vRO.

Advertisements

2 thoughts on “vCloud Director Service Library – Change AD Password

  1. This is awesome! Thanks for sharing!

    Would it be possible for you add a few screenshots of what it looks like when a customer executes the service from vCD? I think that would add icing to the cake.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s