Closed philiprusinov closed 3 years ago
dmilov
commented
3 years ago Thanks for asking. That's something I would like to add. I have an implementation for the Add-LDAPIdentitySource and I'm looking for someone to help me with the testing.
Do you have a test lab to give it a try and provide feedback?
If so please get
and test the Add-LDAPIdentitySource function with the $Certificates parameters
philiprusinov
commented
3 years ago Thanks, I've get the entire ZIP from PowerCLI-Example-Scripts, where module version is 1.1.0. How I can get 1.2.0, should I copy only psm and psd file?
dmilov
commented
3 years ago You can use git for the purpose
git clone https://github.com/dmilov/PowerCLI-Example-Scripts.git
git checkout topic/dmilov/ssoadmin-externaldomain
Import-Module ./Modules/VMware.vSphere.SsoAdmin/VMware.vSphere.SsoAdmin.psd1Hi, Getting with git clone downgrades version to 1.0.0. Meanwhile I've noticed that on the ZIP version is updated to 1.2.0. As my lab is in isolated environment, I've transferred the module with all subdirectories, but not able to add new identity source. The error handling didn't get me some details, where I'm wrong My syntax is following:
`$SSO = Connect-SsoAdminServer -Server vcsa.mylocaldomain.com -User administrator@vsphere.local -Password MyPassword -SkipCertificateCheck -Verbose $cert1=New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\mycertfile.cer")
Add-LDAPIdentitySource -Name "mylocaldomain.com" -DomainName "mylocaldomain.com" -DomainAlias "MYLOCALDOMAIN" -PrimaryUrl "ldaps://dc1.mylocaldomain.com:3269" -BaseDNUsers "dc=mylocaldomain,dc=com" -BaseDNGroups "dc=mylocaldomain,dc=com" -Username "ad-read-account@mylocaldomain.com" -Password "MyPassword1" -Certificates $cert1 -Server $SSO -ServerType ActiveDirectory -Verbose`
Error message: Add-LDAPIdentitySource : One or more errors occurred. At line:1 char:1
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Add-LDAPIdentitySourceCan you get all the details from the last two errors
$error[0] | select *
$error[0].Exception | select *
$error[1] | select *
$error[1].Exception | select *Please find it below:
C:\Users\username> $error[0] | select *
$error[0].Exception | select *
$error[1] | select *
$error[1].Exception | select *
writeErrorStream : True
PSMessageDetails :
Exception : Microsoft.PowerShell.Commands.WriteErrorException: One or more errors occurred.
TargetObject :
CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Add-LDAPIdentitySource
ErrorDetails :
InvocationInfo : System.Management.Automation.InvocationInfo
ScriptStackTrace : at Add-LDAPIdentitySource, C:\Users\username\Documents\WindowsPowerShell\Modules\VMware.vSphere.SsoAdmin\VMware.vSphere.SsoAdmin.psm1: line 1658
at <ScriptBlock>, <No file>: line 1
PipelineIterationInfo : {0, 1}
Message : One or more errors occurred.
Data : {}
InnerException :
TargetSite :
StackTrace :
HelpLink :
Source :
HResult : -2146233087
PSMessageDetails :
Exception : System.Management.Automation.MethodInvocationException: Exception calling "AddLdapIdentitySource" with "10" argument(s): "One or more errors occurred." ---> System.AggregateException: One or more
errors occurred. ---> System.InvalidOperationException: There is an error in the XML document. ---> System.InvalidOperationException: The specified type was not recognized: name='InvalidRequest',
namespace='urn:sso', at <RuntimeFaultFault xmlns='urn:sso'>.
at Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationReaderSsoPortType.Read102_RuntimeFault(Boolean isNullable, Boolean checkType)
at Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationReaderSsoPortType.Read458_RuntimeFaultFault()
at System.Xml.Serialization.XmlSerializer.Deserialize(XmlReader xmlReader, String encodingStyle, XmlDeserializationEvents events)
--- End of inner exception stack trace ---
at System.Xml.Serialization.XmlSerializer.Deserialize(XmlReader xmlReader, String encodingStyle, XmlDeserializationEvents events)
at System.ServiceModel.Dispatcher.XmlSerializerObjectSerializer.ReadObject(XmlDictionaryReader reader, Boolean verifyObjectName)
at System.Runtime.Serialization.XmlObjectSerializer.ReadObjectHandleExceptions(XmlReaderDelegator reader, Boolean verifyObjectName, DataContractResolver dataContractResolver)
at System.Runtime.Serialization.XmlObjectSerializer.ReadObject(XmlDictionaryReader reader)
at System.ServiceModel.Dispatcher.XmlSerializerFaultFormatter.CreateFaultException(MessageFault messageFault, String action)
at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)
at System.ServiceModel.Channels.ServiceChannel.EndCall(String action, Object[] outs, IAsyncResult result)
at System.ServiceModel.Channels.ServiceChannelProxy.TaskCreator.<>c__DisplayClass6_0.<CreateTask>b__0(IAsyncResult asyncResult)
at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)
--- End of inner exception stack trace ---
at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)
at System.Threading.Tasks.Task.Wait(Int32 millisecondsTimeout, CancellationToken cancellationToken)
at VMware.vSphere.SsoAdminClient.SsoAdminClient.AddLdapIdentitySource(String domainName, String domainAlias, String friendlyName, String primaryUrl, String baseDNUsers, String baseDNGroups,
String authenticationUserName, String authenticationPassword, String serverType, X509Certificate2[] ldapCertificates)
at CallSite.Target(Closure , CallSite , Object , Object , String , Object , Object , Object , Object , Object , Object , Object , X509Certificate2[] )
--- End of inner exception stack trace ---
at System.Management.Automation.ExceptionHandlingOps.CheckActionPreference(FunctionContext funcContext, Exception exception)
at System.Management.Automation.Interpreter.ActionCallInstruction`2.Run(InterpretedFrame frame)
at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
TargetObject :
CategoryInfo : NotSpecified: (:) [], MethodInvocationException
FullyQualifiedErrorId : AggregateException
ErrorDetails :
InvocationInfo : System.Management.Automation.InvocationInfo
ScriptStackTrace : at Add-LDAPIdentitySource, C:\Users\username\Documents\WindowsPowerShell\Modules\VMware.vSphere.SsoAdmin\VMware.vSphere.SsoAdmin.psm1: line 1645
at <ScriptBlock>, <No file>: line 1
PipelineIterationInfo : {}
ErrorRecord : Exception calling "AddLdapIdentitySource" with "10" argument(s): "One or more errors occurred."
WasThrownFromThrowStatement : False
Message : Exception calling "AddLdapIdentitySource" with "10" argument(s): "One or more errors occurred."
Data : {System.Management.Automation.Interpreter.InterpretedFrameInfo}
InnerException : System.AggregateException: One or more errors occurred. ---> System.InvalidOperationException: There is an error in the XML document. ---> System.InvalidOperationException: The specified type
was not recognized: name='InvalidRequest', namespace='urn:sso', at <RuntimeFaultFault xmlns='urn:sso'>.
at Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationReaderSsoPortType.Read102_RuntimeFault(Boolean isNullable, Boolean checkType)
at Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationReaderSsoPortType.Read458_RuntimeFaultFault()
at System.Xml.Serialization.XmlSerializer.Deserialize(XmlReader xmlReader, String encodingStyle, XmlDeserializationEvents events)
--- End of inner exception stack trace ---
at System.Xml.Serialization.XmlSerializer.Deserialize(XmlReader xmlReader, String encodingStyle, XmlDeserializationEvents events)
at System.ServiceModel.Dispatcher.XmlSerializerObjectSerializer.ReadObject(XmlDictionaryReader reader, Boolean verifyObjectName)
at System.Runtime.Serialization.XmlObjectSerializer.ReadObjectHandleExceptions(XmlReaderDelegator reader, Boolean verifyObjectName, DataContractResolver dataContractResolver)
at System.Runtime.Serialization.XmlObjectSerializer.ReadObject(XmlDictionaryReader reader)
at System.ServiceModel.Dispatcher.XmlSerializerFaultFormatter.CreateFaultException(MessageFault messageFault, String action)
at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)
at System.ServiceModel.Channels.ServiceChannel.EndCall(String action, Object[] outs, IAsyncResult result)
at System.ServiceModel.Channels.ServiceChannelProxy.TaskCreator.<>c__DisplayClass6_0.<CreateTask>b__0(IAsyncResult asyncResult)
at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)
--- End of inner exception stack trace ---
at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)
at System.Threading.Tasks.Task.Wait(Int32 millisecondsTimeout, CancellationToken cancellationToken)
at VMware.vSphere.SsoAdminClient.SsoAdminClient.AddLdapIdentitySource(String domainName, String domainAlias, String friendlyName, String primaryUrl, String baseDNUsers, String baseDNGroups,
String authenticationUserName, String authenticationPassword, String serverType, X509Certificate2[] ldapCertificates)
at CallSite.Target(Closure , CallSite , Object , Object , String , Object , Object , Object , Object , Object , Object , Object , X509Certificate2[] )
---> (Inner Exception #0) System.InvalidOperationException: There is an error in the XML document. ---> System.InvalidOperationException: The specified type was not recognized:
name='InvalidRequest', namespace='urn:sso', at <RuntimeFaultFault xmlns='urn:sso'>.
at Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationReaderSsoPortType.Read102_RuntimeFault(Boolean isNullable, Boolean checkType)
at Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationReaderSsoPortType.Read458_RuntimeFaultFault()
at System.Xml.Serialization.XmlSerializer.Deserialize(XmlReader xmlReader, String encodingStyle, XmlDeserializationEvents events)
--- End of inner exception stack trace ---
at System.Xml.Serialization.XmlSerializer.Deserialize(XmlReader xmlReader, String encodingStyle, XmlDeserializationEvents events)
at System.ServiceModel.Dispatcher.XmlSerializerObjectSerializer.ReadObject(XmlDictionaryReader reader, Boolean verifyObjectName)
at System.Runtime.Serialization.XmlObjectSerializer.ReadObjectHandleExceptions(XmlReaderDelegator reader, Boolean verifyObjectName, DataContractResolver dataContractResolver)
at System.Runtime.Serialization.XmlObjectSerializer.ReadObject(XmlDictionaryReader reader)
at System.ServiceModel.Dispatcher.XmlSerializerFaultFormatter.CreateFaultException(MessageFault messageFault, String action)
at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)
at System.ServiceModel.Channels.ServiceChannel.EndCall(String action, Object[] outs, IAsyncResult result)
at System.ServiceModel.Channels.ServiceChannelProxy.TaskCreator.<>c__DisplayClass6_0.<CreateTask>b__0(IAsyncResult asyncResult)
at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)<---
TargetSite : Void CheckActionPreference(System.Management.Automation.Language.FunctionContext, System.Exception)
StackTrace : at System.Management.Automation.ExceptionHandlingOps.CheckActionPreference(FunctionContext funcContext, Exception exception)
at System.Management.Automation.Interpreter.ActionCallInstruction`2.Run(InterpretedFrame frame)
at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
HelpLink :
Source : System.Management.Automation
HResult : -2146233087```What is the VC version?
philiprusinov
commented
3 years ago 6.7.0 build 15976728
dmilov
commented
3 years ago unfortunately, the errors are not well-formatted... but I found the root cause can you try again with the latest?
philiprusinov
commented
3 years ago Hi Dimitar, First of all thank you for contributing to this threat.! If you have any advices how to present future errors, please let me know. From my perspective, PS error formatting is always bad. :-) It may seem like a silly question, but when I go to web --> vmware/PowerCLI-Example-Scripts it says version is 1.1.0 When I try to git clone https://github.com/dmilov/PowerCLI-Example-Scripts.git it downloads 1.0.0 I'm even not able to get 1.2.0 which I downloaded yesterday. It seems I'm wrong somewhere, I'm starting to feel dumb :-(
dmilov
commented
3 years ago Version 1.2.0 is available in the master branch now. It has the new function to Add and Update LDAP Identity source with certificates
Add-LDAPIdentitySource `
-Name 'sof-powercli' `
-DomainName 'sof-powercli.vmware.com' `
-DomainAlias 'sof-powercli' `
-PrimaryUrl 'ldap://sof-powercli.vmware.com:389' `
-BaseDNUsers 'CN=Users,DC=sof-powercli,DC=vmware,DC=com' `
-BaseDNGroups 'CN=Users,DC=sof-powercli,DC=vmware,DC=com' `
-Username 'sofPowercliAdmin@sof-powercli-qe.eng.vmware.com' `
-Password '$up3R$Tr0Pa$$w0rD' `
-ServerType 'ActiveDirectory' `
-Certificates 'C:\Temp\test.cer'
Get-IdentitySource -External | Set-LDAPIdentitySource -Certificates 'C:\Temp\testNew.cer'Please test and close if it works
philiprusinov
commented
3 years ago Hi Dimitar, Thanks for update. Adding new AD Identity is working now! I'm currently not able to check update of certificate with Set-LDAPIdentitySource, because I don't have certificate for the same DC with new timestamp. Next week will be able to check also this. If you pipe with the current certificate it is executed without issues, so I assume it will works also. Could you please add possibility to configure also SecondaryUrl / DC? This will give us a real working PS automated way when doing such changes. I've tested also the certificate attribute, it is working with both full path to *.cer and also X509Certificates PS object which is great. Another test which I performed is to get identity source, which is setup via GUI and next pipe to set cmdlet. What I've noticed, that even on GUI I've configured 2 DCs, after executing the PS, identity source is modified with PrimaryURL only. But you may know this. On the same stage, when you are with Single DC, the cmdlet allow you to pipe 2 certificates, so it seem only adding the SecondaryURL as property will be enough. Thanks!
dmilov
commented
3 years ago Adding FailoverUrl parameter is easy one, so yes I'll add it.
philiprusinov
commented
3 years ago Thanks, Please let me know, when you are able to do it, and I will test it. Have a great day!
dmilov
commented
3 years ago done.
philiprusinov
commented
3 years ago Thank you! It is working, I've just added new Identity Source on VCSA 7. :-) This is a great improvement, until now we have to play with sso-config.sh which is not so good, as PS. Next week I will be able to test only certificate update, as my current certificates will expires, so lets see what will be the results. It will be nice also to have Remove-IdentitySource cmdlet at future release. Thanks Again!
dmilov
commented
3 years ago good, closing the issue for now
Hello, Creating PS module for managing SSO on VCSA is great! You may working on developing more cmdlets , so I would like to ask you for the following feature. Do you able to add cmdlets for removing/modify identity source, as the already available for adding. I'm looking for some automation on uploading new LDAP SSL certificates , when LDAP over SSL is selected. In cases where Domain Controller certificates expires each year I have to play with sso-config.sh or removing/adding Identity Sources via GUI. Not sure why, but edit/modify via GUI generates error messages each time, so even the workaround via GUI is first to remove Identity Source and next to add it again. Thanks!