Ansible – VMware Identity Manager – how to change user attributes – Part#2.
In the previous post i described how to deploy VMware Identity Manager through vRealize Lifecycle Manager using Ansible. vIDM is up and ready to go so let’s go little bit further and do one of the many configuration steps . Before configuring the Directory Services and the VMware Identity Manager settings, it can happen that you will need to make some configuration changes in your VMware Identity Manager to ensure your Active Directory users are imported and mapped properly based on our configuration. What i mean in this case is User Attributes:
As you already noticed, four user attributes are required by default:
userName
lastName
firstName
NOTE!!!
Users missing a required attribute in their profile (in Active Directory) are not synced to the VMware Identity Manager service.
Ok so how to disable these (or enable – up to you) in a automatic way using Ansible of course? Below example shows how to disable Email attribute. To achieve a goal i made a friend with jq – a tool to filter JSON data.
And again i will use role tmp-createVidm but this time task name is vidmConfig.yml.
Let’s describe a variables:
vidmFqdn: myVidmFqdn #clear enough i think- provide proper value
vidmRestApiUserAttr: /SAAS/jersey/manager/api/vidm/userattributedefinitions
bearerToken: mySessionToken #provide proper value
attrJsonFile: /tmp/attr.json #file will contain user attributes
targetUser: admin #provide proper value
Variables are ready so the first step is to list all user attributes that are currently set up as required and save it as a json file.
---
- name: List all user attributes
uri:
url: "https://{{ vidmFqdn }}/{{ vidmRestApiUserAttr }}?includeExtendedAttrs=true"
method: GET
validate_certs: no
headers:
Authorization: "Bearer {{ bearerToken }}"
Content-Type: "application/vnd.vmware.horizon.manager.vidm.userattributedefinitions.list+json"
return_content: yes
status_code: 200
dest: "{{ attrJsonFile }}"
register: userAtrrResult
This is how our json file looks like. Pay attention on the item value. We are going to disable Email attribute (changing reuired to false) so we will focus on item #5.
Change json file owner if needed:
- name: Change file owner
file:
path: "{{ attrJsonFile }}"
owner: "{{ targetUser }}"
group: "{{ targetUser }}"
mode: 0644
Now we have set facts for jq:
choicesKey – what we want to change;
choicesValue: new value – in this case ‘false’ to disable Email attribute;
jsonFile: file created in previous step.
- set_fact:
choicesKey: ".items[5].required"
choicesValue: "false"
jsonFile: "{{ attrJsonFile }}"
In these two steps (thanks to jq) the magic happens:
- name: Modify atrr.json file
command: >
jq "{{choicesKey}}=\"{{choicesValue}}\"" "{{jsonFile}}"
register: json
- debug:
var: json.stdout
- name: Change user attribute Email to non-required
uri:
url: "https://{{ vidmFqdn }}/{{ vidmRestApiUserAttr }}?includeExtendedAttrs=true"
method: PUT
validate_certs: no
headers:
Authorization: "Bearer {{ bearerToken }}"
Content-Type: "application/vnd.vmware.horizon.manager.vidm.userattributedefinitions.list+json"
return_content: yes
body_format: json
body: "{{ json.stdout }}"
status_code: 201
register: result
- debug:
var: result
verobosity: 1
As you noticed we sent in PUT request all attributes. I mean i couldn’t find a way to send just this one edited attribute. That’s why i used jq.
And my playbook looks like this:
- name: vIDM configuration - change user attributes.
hosts: localhost
gather_facts: false
become: yes
tasks:
- name: "Running role: createVidm "
include_role:
name: tmp-createVidm
tasks_from: vidmConfig.yml
run_once: yes
That’s it. If you know how to do that much easier way i’ll be more than welcome to read about this.
Cheers!!