Skip to main content

vRealize Automation 7 初始设置

vRealize Automation 7 (vRA 7)和vRA6比起来有很多增强和改进。网上有大量的文章介绍这方面以及安装方法。vRA7的初始设置和vRA6有很大不同。以下是我的一些经验,可以帮你快速搭建实验环境。



[do_widget "Language Switcher" wrap=aside title=false]

在vRA7的安装向导最后一步,我没有选择创建初始内容那个选项,感觉内置的初始内容反倒让我有些凌乱。安装完毕后用Administrator登陆,这个账号的功能和vRA6的一样。

登陆后设置默认的 领域(也不知道Tenants翻译成这样对不对 :-))vSphere.local



Local users中添加一个本地新用户



Administrators标签下把刚创建的新用户指派给Tenant和IaaS管理员组



用新用户重新登陆。打开 Administration -> Directories Management -> Directories. 添加一个活动目录。



不知道为什么Active Directory (Integrated Windows Authentication) 这个选项在我的环境里不起作用,总是报以下错误:

Connector communication failed because of invalid data: The specified Bind DN and password could not be used to successfully authenticate against the directory.


所以我选择的是 Active Directory over LDAP。这一页其他的选项需要根据你的情况选择和填写。



下一页是选择要同步的域,请确保已勾选正确的域。



之后是设置VMware Identity Manager 活动目录属性之间的映射。建议保持默认映射关系,除非你需要把活动目录里的一些特殊属性映射到VIM中。



下一页你需要设置从活动目录同步到VMware Identify Manager的组。最好选择你有可能用到的所有组,因为vRealize Automation 7是从VMware Identify Manager获取账号的认证信息,而不是从活动目录中直接获取,这和vRA6是有区别的。

举个栗子,我活动目录的组位于contoso.com/Customized/Groups/,那么组的专有名称(DN)就是OU=Groups,OU=Customized,DC=CONTOSO,DC=COM

输入组专有名称后点击 Find Groups按钮vRA会返回找到的所有组。如果你要做特定组的同步,则点击 More than xxxx 链接。如果要同步所有找到的组,选择Select All选项。



下面是点击 More than xxx 后选择具体组的截图。



选好要同步的组后,vRA会要求输入在哪个专有名称(DN)下查找用户账号。设置方法和组相同。



如果活动目录环境很大,点击下一步后,vRA可能会弹出一个警告,根据实际情况选择。



设定完毕后,用 Administrator@vsphere.local 重新登录,在Tenants中把你需要的活动目录组或者用户添加到各个管理员组。至此你可以用域账号登陆vRealize Automation 7进行管理。

Popular posts from this blog

Connect-NsxtServer shows "Unable to connect to the remote server"

When you run Connect-NsxtServer in the PowerCLI, it may show "Unable to connect to the remote server".  Because the error message is a little bit confusing with other login issues. It's not easy to troubleshoot. The actual reason is the NSX-T uses a self-signed certificate, and the PowerCLI cannot accept the certificate automatically. The fix is super easy. You need to set the PowerCLI to ignore the invalid certificate with the following command: Set-PowerCLIConfiguration -Scope User -InvalidCertificateAction:Ignore -Confirm:$false

Setup Terraform and Ansible for Windows provisionon CentOS

Provisioning Windows machines with Terraform is easy. Configuring Windows machines with Ansible is also not complex. However, it's a little bit challenging to combine them. The following steps are some ideas about handling a Windows machine from provisioning to post configuration without modifying the winrm configuration on the guest operating system. Install required repos for yum. yum -y install https://repo.ius.io/ius-release-el7.rpm yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm yum -y install https://packages.endpointdev.com/rhel/7/os/x86_64/endpoint-repo.x86_64.rpm yum -y install epel-release yum -y install yum-utils yum-config-manager --add-repo https://rpm.releases.hashicorp.com/RHEL/hashicorp.repo Install  Terraform . sudo yum -y install terraform Install  Ansible . sudo yum -y install ansible Install  Kerberos . yum -y install gcc python-devel krb5-devel krb5-libs krb5-workstation

How to List All Users in Terraform Cloud

Terraform has a rich API. However, the API documentation does not mention how to list all users. We can leverage the organization membership API and the PowerShell command  Invoke-RestMethod  to get a user list. 1. Create an organization token in Terraform Cloud. 2. Create the token variable ( $Token ) in PowerShell. $Token = "abcde" 3. Create the API parameters variable in PowerShell. $params = @{ Uri = "https://app.terraform.io/api/v2/organizations/ZHENGWU/organization-memberships?page%5Bsize%5D=100" Authentication = "Bearer" Token = $Token ContentType = "application/vnd.api+json" } Note: You need to replace ZHENGWU with your own organization name. And I used 100 at the end of the URI to retrieve the first 100 users. It can be any number.  4. Retrieve the API return and list the user's email address. $Test = Invoke-RestMethod @params $Test.data.attributes.email