HPE OneView
cancel
Showing results for 
Search instead for 
Did you mean: 

Mapping AD group to role mapping with REST API

 
SOLVED
Go to solution
BradV
Trusted Contributor

Mapping AD group to role mapping with REST API

I have defined two groups in AD for use with OneView.  One is to authenticate administrators and one for read-only folks.  When trying to perform, I used: 

USER='myADlogin'
PASSW='myADpassw0rd'
ADD="ADHQ"
# Assign user in the MyGroup_OneView to Infrastucture Administrator role:
curl --insecure \
     --header "content-type: application/json" \
     --header "accept: application/json" \
     --header "X-API-Version: ${currentVersion}" \
     --header "auth: ${sessionID}" \
     --data '{ "credentials": { "userName": "'"${USER}"'", "password": "'"${PASSW}"'" }, "group2PermissionPerGroup": { "egroup": "MyGroup_OneView", "loginDomain": "'"${ADD}"'","permissions": [{ 

"roleName": "Infrastructure Administrator" }], "type": "LoginDomainGroupPermission" }, "type": "LoginDomainGroupCredentials" }' \
     --request POST ${OneView}/rest/logindomains/grouptorolemapping | jq -r '.'

and get back: 

{
  "data": {},
  "nestedErrors": [,
    {
      "data": {},
      "nestedErrors": [],
      "errorSource": null,
      "recommendedActions": [ "Enter correct credentials and try again. To obtain a username or password, contact your administrator." ],
      "details": "Invalid username or password.",
      "message": "Invalid username or password.",
      "errorCode": "AUTHN_AUTH_FAIL"
    }
  ],
  "errorSource": null,
  "recommendedActions": [ "Correct the errors and try again." ],
  "details": "Valid data missing to perform enterprise group to role assignment.",
  "message": "Invalid data, missing data, or both provided for enterprise group to role assignment.",
  "errorCode": "AUTHN_LOGINDOMAIN_GROUP_ROLE_MAPPING_FOR_DOMAIN_VALIDATION_ERROR"
}

I'm not sure what invalid username or credentials it is talking about?  I gave it the correct AD username and AD password.  Is that what it is referencing, or is it OpenView login?  I do already have it joined to the AD domain.  Any ideas?

12 REPLIES 12
Suvamay
HPE Pro

Re: Mapping AD group to role mapping with REST API

Greetings!

Which version of oneview are you using?

Which version of PowerShell are you using?

API is rejecting your credentials. You can use the UPN (user@fqdn.com) of the account that has permissions to authenticate to the LDAP Directory.

 

Thanks

 


Accept or Kudo
BradV
Trusted Contributor

Re: Mapping AD group to role mapping with REST API

Hi Suvamay,

Not using powershell.  My systems are CentOS/RHEL.  So, just using curl.  Our appliance is at 4.10.01.  Not sure how to change the user@domain?  I tried: 

ADD="ADHQ"
--data '{ "credentials": { "userName": "'"${USER}@${ADD}"'", "password": "'"${PASSW}"'" }, "group2PermissionPerGroup": { "egroup": "MyGroup_OneView", "loginDomain": "'"${ADD}"'","permissions": [{ "roleName": "Infrastructure Administrator" }], "type": "LoginDomainGroupPermission" }, "type": "LoginDomainGroupCredentials" }'

but still got back invalid username or password.

Suvamay
HPE Pro

Re: Mapping AD group to role mapping with REST API

Good Day !!

Check the below URL and follow the string.

https://github.com/HewlettPackard/POSH-HPOneView/wiki/New-HPOVLdapDirectory

 

 


Accept or Kudo
BhaskarV
HPE Pro

Re: Mapping AD group to role mapping with REST API

Thanks @Suvamay  for pointing @BradV  to Powershell SDK.

Hi @BradV  -

The powershell cmdlets are very useful and easy to use and are maintained by Chris Lynch so you will get the benefits of the changes / enhancements he makes on an ongoing basis from one version of OneView to another. Not trying to sell powershell to a curl user. 

On the specific issue you are having with the curl script you are working with.
Used the same script that you pasted above.
Made relevant changes for my credentials / server etc.
One specific change was for the role name from "Infrastructure Administrator" to "Infrastructure administrator".
That makes a difference. The "role name" here is the role name you get back from GET /rest/roles API.
In OneView, rolenames are "Infrastructure administrator", "Backup administrator" etc.

#!/bin/bash

 

USER='firstname.lastname@hpe.com'
PASSW='xxxxxxxx@yyyyy'
ADD="mydomain"
# Assign user in the MyGroup_OneView to Infrastucture Administrator role:
curl --insecure \
--header "content-type: application/json" \
--header "accept: application/json" \
--header "X-API-Version: 1000" \
--header "auth: session_id here" \
--data '{ "credentials": { "userName": "'"${USER}"'", "password": "'"${PASSW}"'" }, "group2PermissionPerGroup": { "egroup": "mygroup@hpe.com", "loginDomain": "'"${ADD}"'","permissions": [{

"roleName": "Infrastructure administrator" }], "type": "LoginDomainGroupPermission" }, "type": "LoginDomainGroupCredentials" }' \
--request POST https://<appliance>/rest/logindomains/grouptorolemapping | jq -r '.'

Try this out and let me know. 
If you are running into any "special characters" with the groupname, or domain name etc, we'll need to see.

Regards,
Bhaskar


Accept or Kudo
BradV
Trusted Contributor

Re: Mapping AD group to role mapping with REST API

Hi Bhashkar,

Not knocking powershell, but we simply have no Windows systems in this environment.

I modified slightly following what you had:

USER='myADlogin'
PASSW='myADpassw0rd'
ADD="ADHQ"
DN="MyGroup_OneView@${ADD}"
OVGROUP="Infrastructure administrator"
echo "Mapping ${DN} to ${OVGROUP} group."
# Assign user in the MyGroup_OneView to Infrastucture Administrator role:
curl --insecure \
--header "content-type: application/json" \
--header "accept: application/json" \
--header "X-API-Version: ${currentVersion}" \
--header "auth: ${sessionID}" \
--data '{ "credentials": { "userName": "'"${USER}"'", "password": "'"${PASSW}"'" }, "group2PermissionPerGroup": { "egroup": "'"${DN}"'", "loginDomain": "'"${ADD}"'","permissions": [{ "roleName": "'"${OVGROUP"'" }], "type": "LoginDomainGroupPermission" }, "type": "LoginDomainGroupCredentials" }' \
--request POST ${OneView}/rest/logindomains/grouptorolemapping | jq -r '.'

Putting the OpenView group name into a variable (so that I can repeat with the read-only group).  I still get invalid username or password.  My password currently is all upper/lowercase alphanumerics and a '%' and '#' characters.  I know the username and password is correct because I can log into the active directory administrator with it.  If it makes a difference, our current version of OneView API is 800.  I noticed you were using 1000.

Regards,

Brad

BradV
Trusted Contributor

Re: Mapping AD group to role mapping with REST API

There appears to be a bug in this REST API.  Instead of using the supplied AD credentials, OneView used the stored username and password when I first connected to AD.  For security reasons, our administrative credentials in AD only last for a very short time.  So, the stored password had long ago expired.  So, two issues:

 

1.  The REST API is not using the provided credentials, but rather the stored credentials.

2.  When making the AD credentials, OneView does not appear to create a trust relationship, but instead appears to expect the username and password to be good for the life of the connection.

 

Note that I changed the variable, DN, to just be the AD group name and removed the '@${ADD}' portion.

BhaskarV
HPE Pro

Re: Mapping AD group to role mapping with REST API

Hi @BradV 

Will check on this.

Regards,
Bhaskar


Accept or Kudo
BradV
Trusted Contributor

Re: Mapping AD group to role mapping with REST API

I have a ticket opened for this.  Tried to send you a private message with the number, but the stupid inteface kept complaining and then finally said I had reached my quota for private messages.  :(

BhaskarV
HPE Pro

Re: Mapping AD group to role mapping with REST API

Hi @BradV 

No problem. 
Thanks for getting a ticket opened.
One question for you - 
When you configure the directory in OneView, there are two options in the drop down  - "Service Account" and "User credentials".  If you configure the directory using "Service Account" , the credentials to the Service Account are stored and used by OneView when establishing a connection to the directory.. If you chose "User Account", each time a connection is established to the directory, you will see a popup asking for credentials. 
From the behavior you are describing, most likely the configuration you have may be :"Service Account" based. 
Can you check on this once?

Regards,
Bhaskar


Accept or Kudo