Provide a scripted method to create a script to bulk modify permissions in vpx_access.

• After changing Identity sources from IWA, ADFS MFA the identity source is used as an alias, and the permissions have to be recreated because the MFA only recognized the FQDN of the AD domain name and not the alias version so all permissions need to be recreated for that domain.

  • After reconfiguring the vCenter to use ADFS, there is a need to modify all permissions from DOMAIN\XXX to FULLDOMAIN\XXX in order for them to work.

Important: Before proceeding, please make sure to take a proper snapshot of the VCSA. If the VCSA is in linked mode (ELM), take offline snapshots of all linked VCSAs.

Python script ("fixalias.py")

Note: This script will prompt for the ALIAS and the DOMAIN information needed to Normalize in order to fix the Permissions issue for ADFS/LDAP.

If there are object_x_x_x-level permissions with the wrong/mismatching ALIAS(s) in the vCenter (NOT GLOBAL PERMISSIONS), this script can find and change existing ALIAS(s) in the vpx_access table of the VCDB to match the given ALIAS/DOMAIN Name.

The script will also run pg_dump to create a unique plain format dump of the vpx_access table for extra safety measure; however restoring it back involves dropping or truncating the table.

Instruction steps:

1. Ensure proper SNAPSHOTS and/or BACKUPS have been taken of the VCSA VM.

2. Connect to VCSA via SSH as root user.

3. Upload script to the VCSA (e.g. WinSCP, etc.).

4. Stop the "vpxd" service before performing any maintenance on the VCDB.

   • service-control --stop vmware-vpxd

5. Run the following command to confirm what principals (Domain/Alias) currently listed in VCDB table.
   

   /opt/vmware/vpostgres/current/bin/psql -U postgres VCDB -c "select * from vpx_access;"

6. Run the script.

   python fixalias.py

   Note: To proceed with script, "Y" is case sensitive.
   
   
7. Provide the correct ALIAS (or DOMAIN) to convert and the NEW ALIAS to convert to when prompted
   
   Ex: ALIAS (or DOMAIN)="primary" (or "primary.domain.com" if needing to change from full domain back to an Alias)
   
   
   Note: The Domain/Alias are case sensitive when making the change (e.g., "primary" is different than "PRIMARY"). If is listed as lowercase, it will not be found by the script if using uppercase. For example, it will allow for changing from lower case to uppercase of same principle (Domain/Alias). Logging into the vSphere client using with upper or lower case of alias works; the UI does not care what the case of text is in the VCDB table.
   
   
8. Verify all principals were normalized by running the following command again.

    /opt/vmware/vpostgres/current/bin/psql -U postgres VCDB -c "select * from vpx_access;"

9. Restart VPXD.

   service-control --start vmware-vpxd

10. The new domain permissions should be reflected in the UI.