As you all know currently, even with vCenter – there is no serious linking between ESX list of users and the users in Active Directory. So even if you enable support for AD using PAM – you still have to manually add users to ESX and manual remove users from ESX. All that VMware’s PAM does allow you to authenticate against AD – which at least offers a single place for VMware “users” to change their passwords.
I’ve been working with a script from www.vmguru.com – which can create and delete users from ESX as they are created in AD. I haven’t had great success so far – but I’m sure this down to me more than anything. Anyway, I have been liaising with Steve Beaver (the creator of the script) to troubleshoot it. When I have the setup down pat – I will document – and post to the group.
Meanwhile – it has come to my attention that there is software which is commercially available – which can do all this and more. From a cost/benefit it might not be worthwhile, but I have asked for an evaluation copy and I will let you know my findings. The company I’m dealing with is www.centrify.com