The dir-cli utility supports creation and updates to solution users, account management, and management of certificates and passwords in VMware Directory Service (vmdir). You can also use dir-cli to manage and query the domain functional level of Platform Services Controller instances.

dir-cli nodes list

Lists all vCenter Server system for the specified Platform Services Controller instance.

Option

Description

--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

--server <psc_ip_or_fqdn>

Use this option if you do not want to target the affinitized Platform Services Controller. Specify the IP address or FQDN of the Platform Services Controller;

dir-cli computer password-reset

Enables you to reset the password of the machine account in the domain. This option is useful if you have to restore a Platform Services Controller instance.

Option

Description

--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

--live-dc-hostname <server name>

Current name of the Platform Services Controller instance.

dir-cli service create

Creates a solution user. Primarily used by third-party solutions.

Option

Description

--name <name>

Name of the solution user to create

--cert <cert file>

Path to the certificate file. This can be a certificate signed by VMCA or a third-party certificate.

--ssogroups <comma-separated-groupnames>

Makes the solution user a member of the specified groups.

--wstrustrole <ActAsUser>

Makes the solution user a member of the built-in administrators or users group. In other words, determines whether the solution user has administrative privileges.

--ssoadminrole <Administrator/User>

Makes the solution user a member of the ActAsUser group. The ActAsUser role enables users to act on behalf of other users.

--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

dir-cli service list

List the solution users that dir-cli knows about.

Option

Description

--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

dir-cli service delete

Delete a solution user in vmdir. When you delete the solution user, all associated services become unavailable to all management nodes that use this instance of vmdir.

Option

Description

--name

Name of the solution user to delete.

--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

dir-cli service update

Updates the certificate for a specified solution user, that is, collection of services. After running this command, VECS picks up the change after 5 minutes, or you can use vecs-cli force-refresh to force a refresh.

Option

Description

--name <name>

Name of the solution user to update .

--cert <cert_file>

Name of the certificate to assign to the service.

--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

dir-cli user create

Creates a regular user inside vmdir. This command can be used for human users who authenticate to vCenter Single Sign-On with a user name and password. Use this command only during prototyping.

Option

Description

--account <name>

Name of the vCenter Single Sign-On user to create.

--user-password <password>

Initial password for the user.

--first-name <name>

First name for the user.

--last-name <name>

Last name for the user.

--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

dir-cli user modify

Deletes the specified user inside vmdir.

Option

Description

--account <name>

Name of the vCenter Single Sign-On user to delete.

--password-never-expires

Set this option to true if you are creating a user account for automated tasks that have to authenticate to Platform Services Controller, and you want to ensure that the tasks do not stop running because of password expiration.

Use this option with care.

--password-expires

Set this option to true if you want to revert the --password-never-expires option.

--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

dir-cli user delete

Deletes the specified user inside vmdir.

Option

Description

--account <name>

Name of the vCenter Single Sign-On user to delete.

--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

dir-cli user find-by-name

Finds a user inside vmdir by name. The information that this command returns depends on what you specify in the --level option.

Option

Description

--account <name>

Name of the vCenter Single Sign-On user to delete.

--level <info level 0|1|2>

Returns the following information:

  • Level 0 - Account and UPN

  • Level 1 - level 0 info + First and last name

  • Level 2 : level 0 + Account disabled flag, Account locked flag, Password never expires flag, password expired flag and password expiry flag.

The default level is 0.

--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

dir-cli group modify

Adds a user or group to an already existing group.

Option

Description

--name <name>

Name of the group in vmdir.

--add <user_or_group_name>

Name of the user or group to add.

--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

dir-cli group list

Lists a specified vmdir group.

Option

Description

--name <name>

Optional name of the group in vmdir. This option allows you to check whether a specific group exists.

--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

dir-cli ssogroup create

Create a group inside the local domain (vsphere.local by default).

Use this command if you want to create groups to manage user permissions for the vCenter Single Sign-On domain. For example, if you create a group and then add it to the Administrators group of the vCenter Single Sign-On domain, then all users that you add to that group have administrator permissions for the domain.

It is also possible to give permissions to vCenter inventory objects to groups in the vCenter Single Sign-On domain. See the vSphere Security documentation.

Option

Description

--name <name>

Name of the group in vmdir. Maximum length is 487 characters.

--description <description>

Optional description for the group.

--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

dir-cli trustedcert publish

Publishes a trusted root certificate to vmdir.

Option

Description

--cert <file>

Path to certificate file.

--crl <file>

This option is not supported by VMCA.

--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

--chain

Specify this option if you are publishing a chained certificate. No option value is needed.

dir-cli trustedcert publish

Publishes a trusted root certificate to vmdir.

Option

Description

--cert <file>

Path to certificate file.

--crl <file>

This option is not supported by VMCA.

--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

--chain

Specify this option if you are publishing a chained certificate. No option value is needed.

dir-cli trustedcert unpublish

Unpublishes a trusted root certificate currently in vmdir. Use this command, for example, if you added a different root certificate to vmdir that is now the root certificate for all other certificates in your environment. Unpublishing certificates that are no longer in use is part of hardening your environment.

Option

Description

--cert-file <file>

Path to the certificate file to unpublish

--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

dir-cli trustedcert list

Lists all trusted root certificates and their corresponding IDs. You need the certificate IDs to retrieve a certificate with dir-cli trustedcert get.

Option

Description

--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

dir-cli trustedcert get

Retrieves a trusted root certificate from vmdir and writes it to a specified file.

Option

Description

--id <cert_ID>

ID of the certificate to retrieve. The dir-cli trustedcert list command shows the ID.

--outcert <path>

Path to write the certificate file to.

--outcrl <path>

Path to write the CRL file to. Not currently used.

--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

dir-cli password create

Creates a random password that meets the password requirements. This command can be used by third-party solution users.

Option

Description

--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

dir-cli password reset

Allows an administrator to reset a user's password. If you are a non-administrator user who wants to reset a password, use dir-cli password change instead.

Option

Description

--account

Name of the account to assign a new password to.

--new

New password for the specified user.

--login <admin_user_id>

The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default.

--password <admin_password>

Password of the administrator user. If you do not specify the password, you are prompted.

dir-cli password change

Allows a user to change their password. You must be the user who owns the account to make this change. Administrators can use dir-cli password reset to reset any password.

Option

Description

--account

Account name.

--current

Current password of the user who owns the account.

--new

New password of the user who owns the account.