Automating vCenter Single Sign-On (SSO) Users creation and management was not possible in prior releases of vSphere and this operation had to be performed manually using the vSphere Web Client.

sso-user-management-using-dir-cli-4
With vSphere 6.0, you can now easily create and manage SSO Users using a new command-line utility that is included within the Platform Services Controller (PSC) called dir-cli. Below are the paths to the dir-cli utility on both Windows VC and VCSA.

Windows VC 6.0:

  • C:\Program Files\VMware\vCenter Server\vmafdd\dir-cli.exe

VCSA 6.0:

  • /usr/lib/vmware-vmafd/bin/dir-cli

Below are a few examples on using the dir-cli command and you can find more information in the vSphere 6.0 Documentation here. If you wish to automate the dir-cli operations without needing to specify an SSO Administrator password, just specify the --password option. You can also change the SSO Administrator username by specifying the --login option.

Creating a new SSO user:

/usr/lib/vmware-vmafd/bin/dir-cli user create --account william --first-name william --last-name lam --user-password 'VMware1!'

sso-user-management-using-dir-cli-0
Adding new user to SSO group called "Administrators":

/usr/lib/vmware-vmafd/bin/dir-cli group modify --name Administrators --add william

sso-user-management-using-dir-cli-2
List users in an SSO group:

/usr/lib/vmware-vmafd/bin/dir-cli group list --name Administrators

sso-user-management-using-dir-cli-1
Reset the password for an SSO user:

/usr/lib/vmware-vmafd/bin/dir-cli password reset --account william --new 'VMware1!!'

sso-user-management-using-dir-cli-3

3 thoughts on “vCenter Server 6.0 Tidbits Part 9: Creating & managing SSO users using dir-cli

  1. William, thanks for this, helped immensely. Upon further Googling, there’s a VMware document here: https://pubs.vmware.com/vsphere-60/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-4FBEA58E-9492-409B-B584-C18477F041D8.html

    This contains the line in reference to the dir-cli command: “Use this command only during prototyping”. Are there going to be any differences between a user created via the GUI vs the CLI, or is there another reason for VMware to include this warning?

  2. Without having tried it yet, I would like to ask whether it is possible to use this to add AD users to SSO groups, for an ID source that is already configured?

Thanks for the comment!