The dir-cli utility supports creation and updates to solution users, account management, and management of certificates and passwords in VMware Directory Service (vmdir). You can also use dir-cli to manage and query the domain functional level of Platform Services Controller instances.

dir-cli nodes list

Lists all vCenter Server system for the specified Platform Services Controller instance.

Option

Description

--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

--server <psc_ip_or_fqdn>

Use this option if you do not want to target the affinitized Platform Services Controller. Specify the IP address or FQDN of the Platform Services Controller;

dir-cli domain-functional-level get

Retrieve the domain functional level for the specified Platform Services Controller.

Option

Description

--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

--server <psc_ip_or_fqdn>

Use this option if you do not want to target the affinitized Platform Services Controller. Specify the IP address or FQDN of the Platform Services Controller;

--domain-name <domain_name>

Optional name of the domain in which the Platform Services Controller is running.

dir-cli domain-functional-level set

Explicitly set the domain functional level for the specified Platform Services Controller. The domain functional level is set set automatically as part of installation. If you are upgrading your environment, run this command to set the level to 2. Run the command on one of the Platform Services Controller instances after all nodes are upgraded to vSphere 6.5.

Note:

You cannot change the domain functional level of a Platform Services Controller 6.0 or earlier instance to 2.

Option

Description

--level <level>

Level for the Platform Services Controller.

Use 2 to explicitly set the level after an upgrade, for example, because you want to use Platform Services Controller high availability.

--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

--server <psc_ip_or_fqdn>

Use this option if you do not want to target the affinitized Platform Services Controller. Specify the IP address or FQDN of the Platform Services Controller;

--domain-name <domain_name>

Optional name of the domain in which the Platform Services Controller is running.

dir-cli list-domain-versions

Lists the domain functional level of each Platform Services Controller in the current domain or in the domain that is specified by --domain-name <domain_name>. Also lists the highest domain functional level that is possible that domain.

Run this command before you run dir-cli domain-functional-level set to make sure it is possible to change the DFL.

Option

Description

--level <level>

Level for the Platform Services Controller. Use 2 to explicitly set the level after an upgrade. Use 1 if you explicitly want to downgrade your environment, for example, because you want to use an external Platform Services Controller.

--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

--server <psc_ip_or_fqdn>

Use this option if you do not want to target the affinitized Platform Services Controller. Specify the IP address or FQDN of the Platform Services Controller;

--domain-name <domain_name>

Optional name of the domain in which the Platform Services Controller is running.

dir-cli computer password-reset

Enables you to reset the password of the machine account in the domain. This option is useful if you have to restore a Platform Services Controller instance.

Option

Description

--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

--live-dc-hostname <server name>

Current name of the Platform Services Controller instance.

dir-cli service create

Creates a solution user. Primarily used by third-party solutions.

Option

Description

--name <name>

Name of the solution user to create

--cert <cert file>

Path to the certificate file. This can be a certificate signed by VMCA or a third-party certificate.

--ssogroups <comma-separated-groupnames>

--wstrustrole <ActAsUser>

--ssoadminrole <Administrator/User>

--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

dir-cli service list

List the solution users that dir-cli knows about.

Option

Description

--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

dir-cli service delete

Delete a solution user in vmdir. When you delete the solution user, all associated services become unavailable to all management nodes that use this instance of vmdir.

Option

Description

--name

Name of the solution user to delete.

--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

dir-cli service update

Updates the certificate for a specified solution user, that is, collection of services. After running this command, VECS picks up the change after 5 minutes, or you can use vecs-cli force-refresh to force a refresh.

Option

Description

--name <name>

Name of the solution user to update .

--cert <cert_file>

Name of the certificate to assign to the service.

--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

dir-cli user create

Creates a regular user inside vmdir. This command can be used for human users who authenticate to vCenter Single Sign-On with a user name and password. Use this command only during prototyping.

Option

Description

--account <name>

Name of the vCenter Single Sign-On user to create.

--user-password <password>

Initial password for the user.

--first-name <name>

First name for the user.

--last-name <name>

Last name for the user.

--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

dir-cli user modify

Deletes the specified user inside vmdir.

Option

Description

--account <name>

Name of the vCenter Single Sign-On user to delete.

--password-never-expires

Set this option to true if you are creating a user account for automated tasks that have to authenticate to Platform Services Controller, and you want to ensure that the tasks do not stop running because of password expiration.

Use this option with care.

--password-expires

Set this option to true if you want to revert the --password-never-expires option.

--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

dir-cli user delete

Deletes the specified user inside vmdir.

Option

Description

--account <name>

Name of the vCenter Single Sign-On user to delete.

--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

dir-cli user find-by-name

Finds a user inside vmdir by name. The information that this command returns depends on what you specify in the --level option.

Option

Description

--account <name>

Name of the vCenter Single Sign-On user to delete.

--level <info level 0|1|2>

Returns the following information:

  • Level 0 - Account and UPN

  • Level 1 - level 0 info + First and last name

  • Level 2 : level 0 + Account disabled flag, Account locked flag, Password never expires flag, password expired flag and password expiry flag.

The default level is 0.

--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

dir-cli group modify

Adds a user or group to an already existing group.

Option

Description

--name <name>

Name of the group in vmdir.

--add <user_or_group_name>

Name of the user or group to add.

--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

dir-cli group list

Lists a specified vmdir group.

Option

Description

--name <name>

Optional name of the group in vmdir. This option allows you to check whether a specific group exists.

--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

dir-cli ssogroup create

Create a group inside the local domain (vsphere.local by default).

Use this command if you want to create groups to manage user permissions for the vCenter Single Sign-On domain. For example, if you create a group and then add it to the Administrators group of the vCenter Single Sign-On domain, then all users that you add to that group have administrator permissions for the domain.

It is also possible to give permissions to vCenter inventory objects to groups in the vCenter Single Sign-On domain. See the vSphere Security documentation.

Option

Description

--name <name>

Name of the group in vmdir. Maximum length is 487 characters.

--description <description>

Optional description for the group.

--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

dir-cli trustedcert publish

Publishes a trusted root certificate to vmdir.

Option

Description

--cert <file>

Path to certificate file.

--crl <file>

This option is not supported by VMCA.

--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

--chain

Specify this option if you are publishing a chained certificate. No option value is needed.

dir-cli trustedcert publish

Publishes a trusted root certificate to vmdir.

Option

Description

--cert <file>

Path to certificate file.

--crl <file>

This option is not supported by VMCA.

--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

--chain

Specify this option if you are publishing a chained certificate. No option value is needed.

dir-cli trustedcert unpublish

Unpublishes a trusted root certificate currently in vmdir. Use this command, for example, if you added a different root certificate to vmdir that is now the root certificate for all other certificates in your environment. Unpublishing certificates that are no longer in use is part of hardening your environment.

Option

Description

--cert-file <file>

Path to the certificate file to unpublish

--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

dir-cli trustedcert list

Lists all trusted root certificates and their corresponding IDs. You need the certificate IDs to retrieve a certificate with dir-cli trustedcert get.

Option

Description

--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

dir-cli trustedcert get

Retrieves a trusted root certificate from vmdir and writes it to a specified file.

Option

Description

--id <cert_ID>

ID of the certificate to retrieve. The dir-cli trustedcert list command shows the ID.

--outcert <path>

Path to write the certificate file to.

--outcrl <path>

Path to write the CRL file to. Not currently used.

--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

dir-cli password create

Creates a random password that meets the password requirements. This command can be used by third-party solution users.

Option

Description

--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

dir-cli password reset

Allows an administrator to reset a user's password. If you are a non-administrator user who wants to reset a password, use dir-cli password change instead.

Option

Description

--account

Name of the account to assign a new password to.

--new

New password for the specified user.

--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

dir-cli password change

Allows a user to change their password. You must be the user who owns the account to make this change. Administrators can use dir-cli password reset to reset any password.

Option

Description

--account

Account name.

--current

Current password of the user who owns the account.

--new

New password of the user who owns the account.