Automated directory synchronization of the vRA Identity Manager

A

Disclaimer: The API documentation has not yet been released, therefor I would like to notice that this is currently an unsupported method of triggering a directory sync.

During a recent project the customer requested the functionality to create a new business group with just one click. This should be a function to onboard new teams into the vRA environment, including the creation of Reservations and Active Directory groups.

In vRA 6 this would not have been a problem at all, but starting at vRA 7 the Identity Manager was introduced. The Identity Manager, in short the connection from vRA to Active Directory (AD), synchronizes AD content on a specific schedule. This means that while specifying the different AD groups in the new Business Group, these will not be visible immediately but after a synchronization.

As the customer stated, it should be an automated process, a click on the button. Waiting for the synchronization to take place is not an option.. We are automating this, right?! Therefor my colleague Marco van Baggum (#vMBaggum blog) came up with the idea to automate the synchronization of the identity manager. In a shady corner Marco found the necessary API calls and off we go!

The first step is to create the a new HTTP-REST endpoint in vRO. Run the workflow “Add a REST host” located at Library / HTTP-REST / Configuration and use the following settings:

Name vRA
URL https://<vRA FQDN>/ e.g. https://itqlab-vra.itqlab.local/
Authentication NONE

* The other settings are dependent on how vRA is set-up and how vRO connects to it.

A new endpoint in the inventory should pop up at the HTTP-REST plugin. Now right click this endpoint and run the workflow to add the additional REST operations to it.

Name Get Directories
Method GET
URL template /SAAS/t/{tenant}/jersey/manager/api/connectormanagement/directoryconfigs

 

Name Get Directory Sync Executions
Method GET
URL template /SAAS/jersey/manager/api/connectormanagement/directoryconfigs/{directoryId}/syncexecutions

 

Name Invoke Directory Sync
Method POST
Content-type application/json
URL Template /SAAS/jersey/manager/api/connectormanagement/directoryconfigs/{directoryId}/syncprofile/sync

 

Name Login
Method POST
Content-type application/json
URL Template /SAAS/t/{tenant}/API/1.0/REST/auth/system/login

 

The images below show the configured operations in vRO

This slideshow requires JavaScript.

Now the endpoint and operations are created, import the workflow package attached to this post. (nl.itq.psi.vidm Workflows)

When the workflow package is imported, open the Configuration Elements tab and edit the Endpoints configuration element located under the ITQ folder. Select the correct HTTP-REST endpoint and REST-Operations, insert the correct username, password and tenant to connect to vRA. As a side-note, the used API calls can only be used with a vRA local account. Domain accounts will throw an “Invalid Credentials” error. Make sure that the user has rights to execute a Directory Sync in vRA.

Now go back to the workflow overview and expand ITQ / PSI / VIDM / Helpers. You should have the same overview as in the image below.

vRO Workflow structure

Now execute the “Synchronize active directory” workflow and the synchronization will start!

vRO Workflow execution
vRO Workflow execution

Please note that these workflows are not production ready yet and bugs may exist!

Download nl.itq.psi.vidm Workflows!

About the author

Olivier Bootsma

Olivier is an automation consultant at ITQ since 2015. Before he worked for Atos on the automation of the Canopy Cloud solutions. Olivier touched VMware products for the first time in 2011 and has been a fan ever since. Today his expertise is mainly focused on automation with VMware products and designing and implementing the logic that the business requires.

9 comments

  • Fantastic Job
    I wanted to do an onboarding service in vRA but needed to automatically refresh the vIDM to have my user added to the new AD group.
    you saved my life !!

    BTW : where did you get these URL templates ?

  • Hello Dear ,

    thanks for the great efforts but i tried it and it is not working 🙁
    i got the error :TypeError: Cannot find function getHeaderParameters in object notfound. (Workflow:Get Bearer Token / Execute REST Call (item1)#13):

    could you please help ???

  • Hello Dear ,

    thanks for the great efforts but i tried it and it is not working 🙁
    i got the error :TypeError: Cannot find function getHeaderParameters in object notfound. (Workflow:Get Bearer Token / Execute REST Call (item1)#13):

    could you please help ???

  • Hello Dear ,

    could you please add the below step as screenshot since i couldn’t reach it :

    open the Configuration Elements tab and edit the Endpoints configuration element located under the ITQ folder. Select the correct HTTP-REST endpoint and REST-Operations, insert the correct username, password and tenant to connect to vRA

    waiting your kind feedback.
    thank you in advance 🙂

      • Hello Dear ,
        Thank you for your continuos support .
        i tried and i got the below error could you please help .
        *********************************************************************************************************************
        [2018-03-14 11:43:04.403] [I] Trying to: Acquire lock [540af7f66164bd02016223ad53105726] for this workflow.
        [2018-03-14 11:43:04.410] [I] Lock [540af7f66164bd02016223ad53105726] acquired for this workflow.
        [2018-03-14 11:43:04.450] [E] Error in (Workflow:Get Bearer Token / Execute REST Call (item1)#13) TypeError: Cannot find function getHeaderParameters in object DynamicWrapper (Instance) : [RESTOperation]-[class com.vmware.o11n.plugin.rest.RESTOperation] — VALUE : Login 2aae00d5-2f4c-4113-b045-e9466fe3ca1b /SAAS/t/{tenant}/API/1.0/REST/auth/system/login POST 1 application/json.
        [2018-03-14 11:43:04.462] [I] Trying to: Release lock [540af7f66164bd02016223ad53105726] for this workflow.
        [2018-03-14 11:43:04.467] [I] Lock [540af7f66164bd02016223ad53105726] released for this workflow.
        [2018-03-14 11:43:04.483] [E] Workfow execution stack:
        ***
        item: ‘Synchronize active directory/item7’, state: ‘failed’, business state: ‘null’, exception: ‘TypeError: Cannot find function getHeaderParameters in object DynamicWrapper (Instance) : [RESTOperation]-[class com.vmware.o11n.plugin.rest.RESTOperation] — VALUE : Login 2aae00d5-2f4c-4113-b045-e9466fe3ca1b /SAAS/t/{tenant}/API/1.0/REST/auth/system/login POST 1 application/json. (Workflow:Get Bearer Token / Execute REST Call (item1)#13)’
        workflow: ‘Synchronize active directory’ (d1dead0d-26e1-4415-a1b9-5c3e4fce1787)
        | ‘attribute’: name=sessionToken type=string value=null
        | ‘attribute’: name=directoryIds type=Array/string value=__NULL__
        | ‘attribute’: name=directoryId type=string value=
        | ‘attribute’: name=sleepTime type=number value=2.0
        | ‘attribute’: name=errorCode type=string value=TypeError: Cannot find function getHeaderParameters in object DynamicWrapper (Instance) : [RESTOperation]-[class com.vmware.o11n.plugin.rest.RESTOperation] — VALUE : Login 2aae00d5-2f4c-4113-b045-e9466fe3ca1b /SAAS/t/{tenant}/API/1.0/REST/auth/system/login POST 1 application/json. (Workflow:Get Bearer Token / Execute REST Call (item1)#13)
        | ‘no inputs’
        | ‘no outputs’
        *** End of execution stack.
        ************************************************************************************************************************

About the author

Olivier Bootsma
Olivier is an automation consultant at ITQ since 2015. Before he worked for Atos on the automation of the Canopy Cloud solutions. Olivier touched VMware products for the first time in 2011 and has been a fan ever since. Today his expertise is mainly focused on automation with VMware products and designing and implementing the logic that the business requires.