vCloud Director Service Library – Change AD Password

vCloud Director version 9.1 introduced the ability to easily create custom services and display them in the new user interface as tiles under Service Library. The services are created in vRealize Orchestrator as workflows and then presented to tenants or system administrators with simple categorization.

The screenshot below shows the Service Library with Backup and User Management categories and some services that I created for demonstration.

The actual feature is not very well documented so I will show on one simple (but useful) example how to implement it.

I am going to create Change LDAP Password service tile. While vCloud Director UI allows changing passwords for local users, users that are imported from integrated LDAP cannot change their password via vCloud Director UI so adding such service actually makes sense.

  • Set up vRealize Orchestrator: as system admin log in into the provider H5 UI (https://<vcd-UI>/provider) and set up connection to external vRealize Orchestrator server (that obviously must be installed and configured first). Note that for this example we will not need any custom plugins. Content Libraries > Library Administration > Service Management > vRO Servers
  • Set up Service Categories in the next menu.
  • Make sure that users have access to the Service Library. This is controlled with new rights under section Additional Services. I have added all three rights to the global Organization Administrator role and also to all existing organizations. You can obviously add them to also less privileged roles. This must be done via vCloud API.
  • Prepare the workflow in the vRealize Orchestrator (vRO). I assume the reader already knows how to create generic vRO workflows so I will not go into too much detail. You must configure the built in Microsoft Active Directory plugin with the Add an Active Directory server configuration workflow.
  • In very high level, the workflow execution will consist of the following steps:
  1. Presentation window to collect Password and confirmPassword values and compare them for validation. Note that I did not succeed using SecureString variables (vCloud Director seems to not support them) and had to use simple string type which results in password being visible on the screen.
  2. Next we will get some custom properties from vCloud Director. You can use four of them: _vcd_orgName, _vcd_orgId, _vdc_userName (sic!) and _vcd_isAdmin. In my Active Director I have the following OU structure for each org:
    Each vCloud Director organization has its own OU under VCD organization unit. The OU name matches the Organization name.
    To get the custom properties you need to create custom action (in my case Load VCD Inputs with the following script):
    As can be see from above screenshot, I only need _vcd_orgName to find the OU and _vdc_userName to find the user account in AD.
  3. The next step is built in getOrganizationUnitFromOrganizationUnit action that can be found under com.vmware.library.microsoft.activeDirectory.  As inputs I am supplying value equal to the container of my parent (VCD) OU and the org name as string. The output is the organization OU.
  4. Now we can find the user object based on org OU and username string. This is done with getUserFromContainer action (again from com.vmware.library.microsoft.activeDirectory).
  5. As mentioned in the beginning I was forced to use String type variable for the password, but the change password action requires Secure String. This simple action will provide the conversion.
  6. The last step is to change the password with setUserPassword action (found in com.vmware.library.microsoft.activeDirectory).
  • Now we can save the workflow and give it a proper description that will be visible to tenants.
  • Back in vCloud Director we can now in the provider UI import the workflow into Service Library. This is done at: Content Libraries > Services > Service Library > Import. Simple wizard will ask for target library (category), source vRO and the workflow.
  • Once a workflow is imported it can be Published to system admins, all or subset of tenants. Find the workflow tile and select Manage.

That is all. Test as tenant logged in with LDAP account in the new H5 UI.

Observe and troubleshoot the workflow execution in vRO.

Advertisements

9 thoughts on “vCloud Director Service Library – Change AD Password

  1. This is awesome! Thanks for sharing!

    Would it be possible for you add a few screenshots of what it looks like when a customer executes the service from vCD? I think that would add icing to the cake.

  2. Hi Tomas, Thanks for sharing, especially the Customer Properties. Are there any others? I cant seem to find any information abut them. I was hoping that there was a parameter for the vCD host. We have several datacentres and each has its own vCD so to have a single workflow that i can use in all DCs i need to know the host that sent the request.

    Thanks

      1. Thanks, are these available to use for presentation validation and predefined list of elements? I am getting null when using var org = System.getContext().getParameter(“_vcd_orgName”); in an action that returns a list of VDCs that the org has.

    1. As current workaround you might create individual service accounts for each vCD, and use the different accounts when configuring vRO into vCD.
      Then you can use Server.getRunningUser() (or getCredential()) within the workflow to get the user that’s used (this service account that’s used by vCD to start the workflow) to start the workflow.
      Additional benefit: the user field is also shown in the workflow token and event lists in the client, gives you a nice overview of which user (so which vCD) started what execution…

    2. The getContext() unfortunately is not available in the actions that are used for input presentation, as these actions are run before the actual workflow is being kicked off. So at that time there is no workflow execution context yet.
      That’s a limitation of vRO I think.
      But I totally agree that this would be super helpful, to allow the creation of “tenant aware” input form logic.

  3. Hi, thanks joerglew for the idea, using a site based user for the vcd-vro integration user works a treat. Thats one step closer!
    Ian..

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.