Ansible – VMware Identity Manager – how to change user attributes – Part#2.

In the previous post i described how to deploy VMware Identity Manager through vRealize Lifecycle Manager using Ansible. vIDM is up and ready to go so let’s go little bit further and do one of the many configuration steps . Before configuring the Directory Services and the VMware Identity Manager settings, it can happen that you will need to make some configuration changes in your VMware Identity Manager to ensure your Active Directory users are imported and mapped properly based on our configuration. What i mean in this case is User Attributes:

As you already noticed, four user attributes are required by default:





Users missing a required attribute in their profile (in Active Directory) are not synced to the VMware Identity Manager service.

Ok so how to disable these (or enable – up to you) in a automatic way using Ansible of course? Below example shows how to disable Email attribute. To achieve a goal i made a friend with jq – a tool to filter JSON data.

And again i will use role tmp-createVidm but this time task name is vidmConfig.yml.

Let’s describe a variables:

vidmFqdn: myVidmFqdn     #clear enough i think- provide proper value
vidmRestApiUserAttr: /SAAS/jersey/manager/api/vidm/userattributedefinitions
bearerToken: mySessionToken     #provide proper value
attrJsonFile: /tmp/attr.json    #file will contain user attributes
targetUser: admin    #provide proper value

Variables are ready so the first step is to list all user attributes that are currently set up as required and save it as a json file.

- name: List all user attributes
    url: "https://{{ vidmFqdn }}/{{ vidmRestApiUserAttr }}?includeExtendedAttrs=true"
    method: GET
    validate_certs: no
      Authorization: "Bearer {{ bearerToken }}"
      Content-Type: "application/vnd.vmware.horizon.manager.vidm.userattributedefinitions.list+json"
    return_content: yes
    status_code: 200
    dest: "{{ attrJsonFile }}"
  register: userAtrrResult

This is how our json file looks like. Pay attention on the item value. We are going to disable Email attribute (changing reuired to false) so we will focus on item #5.

Change json file owner if needed:

- name: Change file owner
    path: "{{ attrJsonFile }}"
    owner: "{{ targetUser }}"
    group: "{{ targetUser }}"
    mode: 0644

Now we have set facts for jq:

choicesKey – what we want to change;

choicesValue: new value – in this case ‘false’ to disable Email attribute;

jsonFile: file created in previous step.

- set_fact:
    choicesKey: ".items[5].required"
    choicesValue: "false"
    jsonFile: "{{ attrJsonFile }}"

In these two steps (thanks to jq) the magic happens:

- name: Modify atrr.json file
  command: >
    jq "{{choicesKey}}=\"{{choicesValue}}\"" "{{jsonFile}}"
  register: json

- debug:
    var: json.stdout
- name: Change user attribute Email to non-required
    url: "https://{{ vidmFqdn }}/{{ vidmRestApiUserAttr }}?includeExtendedAttrs=true"
    method: PUT
    validate_certs: no
      Authorization: "Bearer {{ bearerToken }}"
      Content-Type: "application/vnd.vmware.horizon.manager.vidm.userattributedefinitions.list+json"
    return_content: yes
    body_format: json
    body: "{{ json.stdout }}"
    status_code: 201
  register: result

- debug:
    var: result
    verobosity: 1

As you noticed we sent in PUT request all attributes. I mean i couldn’t find a way to send just this one edited attribute. That’s why i used jq.

And my playbook looks like this:

- name: vIDM configuration - change user attributes.
  hosts: localhost
  gather_facts: false
  become: yes

    - name: "Running role: createVidm "
        name: tmp-createVidm
        tasks_from: vidmConfig.yml
      run_once: yes

That’s it. If you know how to do that much easier way i’ll be more than welcome to read about this.