VirtualVCP IT Virtualization

You can use esxcfg-auth to easily configure your ESX server to allow network based authentication as well as password complexity settings for your machine. It support setting up your system to do authentication against an Active Directory Server, but not user management, as well as authentication against a NIS server, a Kerberos server or an LDAP server.

Usage:

esxcfg-auth [options]

Options
     --probe
             Calling esxcfg-auth with the probe option will print your current configuration to standard out. This is useful if you want to store your
             configuration for documentation or archival purposes. If it is invoked with other options, the changes those options would make are made.
             The resulting configuration is printed to standard out. In that case, the configuration data is not written to disk, and the command is
             equivalent to a dry run.

     --enablemd5
             This option sets the system to store the password in MD5 form. The default is shadow.

     --disablemd5
             This option restores the system to default password storage, which is shadow.

     --enableshadow
             Store user passwords using shadow information. This is the default manner in which passwords are stored if no format is specified.

     --disableshadow
             This option is useful to store the password in MD5 form. If you do not enable MD5 storage, the passwords will remain in shadow form.

     --usepamqc
             Enables the use of the pam_passwdqc PAM module for password complexity checking. It can be configured by passing a 6 value tuple as the
             value. The tuple is formed from the following information:
                   - minimum length of a single character class password
                   - minimum length of a password that has characters from 2 character classes
                   - minimum number of words in a passphrase
                   - minimum length of a password that has characters from 3 character classes
                   - minimum length of a password that has characters from 4 character classes
                   - maximum number of characters reused from the previous password
                This does not fully expose the abilities of this powerful PAM module. See the pam_passwdqc man page for more information on how to use
             this PAM module to enforce password rules on the userâs password.
                If you pass a value of -1 for any of the six tuple values, that is understood as disable this option.  An example of a tuple is "-1 -1
             8 8 8 4".

     --usecrack
                Enables the use of the pam_cracklib PAM module for password complexity checking. It can be configured by passing a 6 value tuple as the
             value. The tuple is formed from the following information:
                   - number of retries given to choose a new password
                   - minimum length of the password
                   - points for lowercase letters
                   - points for uppercase letters
                   - points for digital characters
                   - points for other characters
                If you pass in a value of -1 for any of the fields in the tuple for the points in the character class, it is understood as being
             required.

     --enablead
             Sets up the Console OS to authenticate the user against an Active Directory server. addomain and addc are required with this option.

     --addomain
             Sets the domain against which the user is to be authenticated when authenticating against an Active Directory server.

     --addc  Sets the domain controller against which the userâs password should be checked.

     --disablead
             Reverts the changes required to authenticate the user against Active Directory.

     --addomain
             Sets the domain against which the user is to be authenticated when authenticating against an Active Directory server.

     --addc  Sets the domain controller against which the userâs password should be checked.

     --disablead
             Reverts the changes required to authenticate the user against Active Directory.

     --enablenis
             This option can be used to setup the Console OS to authenticate the user against a NIS server. nisserver and nisdomain are required with
             this option.

     --nisdomain
             Specifies the domain name for the NIS server against which users should be authenticated.

     --nisserver
             Specifies the IP address where the NIS server is running.

     --disablenis
             Reverts the changes required to authenticate users against NIS.

     --enablekrb5
             Allows the user to be authenticated against a Kerberos Realm. With this option, --krb5realm and --krb5kdc options are needed.

     --krb5realm
             Defines the realm  in which to authenticate the user.

     --krb5kdc
             Defines the Key Distribution Center for the Kerberos Realm.

     --krb5adminserver
             Defines the Administrative Server for the Kerberos 5 realm against which user should be checked.

     --disablekrb5
             Reverts the changes required to authenticate the user against a Keberos 5 Realm.

     --enableldap
             Enables the Console OS to attempt to get user credentials from an LDAP server.

     --enableldapauth
             Enables the Console OS to authenticate the user against an LDAP server.

     --ldapserver
             Sets the IP address of the server that is running the LDAP Directory.

     --ldapbasedn
             Sets the base DN with which to bind to the LDAP server.

     --disableldap
             Reverts the changes required to authenticate the user against an LDAP server.

Example:

Enable Active Directory Authentication for ESX:

esxcfg-auth --enablead --addomain mydomain.com --addc dc01.mydomain.com