Setting LDAP Synchronization via Cloud Director API

Setting LDAP Synchronization settings via Cloud Director API

3 years ago

Latest Post VMware Cloud Director OIDC / Import Users and Groups from Workspace One Access (Identity Manager) by Alexey Koznov public

After making some changes in domain (added some users) automatical synchronization settings in domain doesn't synchronized correctly.

There is a known issue for this behaviour and we can fix this with Postman and REST API. To set LDAP Synchronization options via the Cloud Director API we should perform these steps:

Log into the Cloud Director API as a System Administrator:


POST  https://vcloud-director-fqdn/cloudapi/1.0.0/sessions/provider


 Accept: application/json;version=34.0    
 Authorization:  Basic (Encoded username@system / password)

You can use environments and tests in Postman for more convient way to store Token and vCD FQDN:

var bearer = postman.getResponseHeader("x-vmware-vcloud-access-token")
Test in POST Auth request
Environment in Postman
POST Auth request to vCD API Headers
POST Auth request to vCD API Authorization
POST Auth request to vCD API Tests

In next requests you can use Bearer token that contains variable {{X-VMWARE-VCLOUD-ACCESS-TOKEN}}

Bearer token for Requests

We can get current LDAP synchronization settings using next request:


POST  https://vcloud-director-fqdn/api/admin/extension/settings/general


 Accept: application/*+xml;version=34.0
 Authorization:  Bearer {{X-VMWARE-VCLOUD-ACCESS-TOKEN}}

Note in the response the values given for the LDAP synchronization settings, for example:


Take the entire XML response from the above and change only these synchronization settings to the desired values, for example:


WARNING! Do not change any other parts of the XML which pertain to other System settings!

Put back this entire XML which includes our changes:


PUT  https://vcloud-director-fqdn/api/admin/extension/settings/general


 Accept: application/*+xml;version=34.0
 Content-Type: application/vnd.vmware.admin.generalSettings+xml
 Authorization:  Bearer {{X-VMWARE-VCLOUD-ACCESS-TOKEN}}

Request Body:

Entire edited XML from GET in previous steps.

Body of PUT request with changes of SyncStartDate and SyncIntervalInHours for LDAP Sync settings

If everything goes well we will get 200 OK status

Accept and Content-Type headers

Verify in the VCD database if the times have changed for the task using the SQL query you mentioned:

select client_activity_name, last_execution_time, next_execution_time from scheduled_activity_jobs where client_activity_name like '%Ldap%';
pgAdmin and Postman output for executed queries
LDAP settings in Web interface after upgrading settings via API

You can also get details of the Cell this Job should be running on using the following SQL query:

from activity
left join scheduled_activity_jobs on scheduled_activity_jobs.job_handle = activity.state_handle
left join cells on activity.running_on like '%'||cells.instance_id
where scheduled_activity_jobs.client_activity_name like '%LdapSyncJob%'
order by activity.running_on;
Result of SQL Query to get Cell info that will run Job for LDAP sync

The Cell Management Tool can also be used on Cells to verify if the Job is present:

root@vcdlab1197 [ ~ ]# /opt/vmware/vcloud-director/bin/cell-management-tool cell -i $(service vmware-vcd pid cell) -tt | grep LdapSyncJob
| c0011945-e9f6-3eb4-8ec4-357e3f2027ee | 2021-04-09 11:21:17.034 | 2021-04-09 23:21:17.033 | STATUS_QUEUED   | LdapSyncJob                  |
root@vcdlab1197 [ ~ ]#
Alexey Koznov

Published 3 years ago


Leave us your opinion.