Mapping AD group to role mapping with REST API

Greetings!

Which version of oneview are you using?

Which version of PowerShell are you using?

API is rejecting your credentials. You can use the UPN (user@fqdn.com) of the account that has permissions to authenticate to the LDAP Directory.

Thanks

Hi Suvamay,

Not using powershell.  My systems are CentOS/RHEL.  So, just using curl.  Our appliance is at 4.10.01.  Not sure how to change the user@domain?  I tried: 

ADD="ADHQ"
--data '{ "credentials": { "userName": "'"${USER}@${ADD}"'", "password": "'"${PASSW}"'" }, "group2PermissionPerGroup": { "egroup": "MyGroup_OneView", "loginDomain": "'"${ADD}"'","permissions": [{ "roleName": "Infrastructure Administrator" }], "type": "LoginDomainGroupPermission" }, "type": "LoginDomainGroupCredentials" }'

but still got back invalid username or password.

Good Day !!

Check the below URL and follow the string.

https://github.com/HewlettPackard/POSH-HPOneView/wiki/New-HPOVLdapDirectory

Thanks @Suvamay  for pointing @BradV  to Powershell SDK.

Hi @BradV  -

The powershell cmdlets are very useful and easy to use and are maintained by Chris Lynch so you will get the benefits of the changes / enhancements he makes on an ongoing basis from one version of OneView to another. Not trying to sell powershell to a curl user. 

On the specific issue you are having with the curl script you are working with.
Used the same script that you pasted above.
Made relevant changes for my credentials / server etc.
One specific change was for the role name from "Infrastructure Administrator" to "Infrastructure administrator".
That makes a difference. The "role name" here is the role name you get back from GET /rest/roles API.
In OneView, rolenames are "Infrastructure administrator", "Backup administrator" etc.

#!/bin/bash

USER='firstname.lastname@hpe.com'
PASSW='xxxxxxxx@yyyyy'
ADD="mydomain"
# Assign user in the MyGroup_OneView to Infrastucture Administrator role:
curl --insecure \
--header "content-type: application/json" \
--header "accept: application/json" \
--header "X-API-Version: 1000" \
--header "auth: session_id here" \
--data '{ "credentials": { "userName": "'"${USER}"'", "password": "'"${PASSW}"'" }, "group2PermissionPerGroup": { "egroup": "mygroup@hpe.com", "loginDomain": "'"${ADD}"'","permissions": [{

"roleName": "Infrastructure administrator" }], "type": "LoginDomainGroupPermission" }, "type": "LoginDomainGroupCredentials" }' \
--request POST https://<appliance>/rest/logindomains/grouptorolemapping | jq -r '.'

Try this out and let me know. 
If you are running into any "special characters" with the groupname, or domain name etc, we'll need to see.

Regards,
Bhaskar

Hi Bhashkar,

Not knocking powershell, but we simply have no Windows systems in this environment.

I modified slightly following what you had:

USER='myADlogin'
PASSW='myADpassw0rd'
ADD="ADHQ"
DN="MyGroup_OneView@${ADD}"
OVGROUP="Infrastructure administrator"
echo "Mapping ${DN} to ${OVGROUP} group."
# Assign user in the MyGroup_OneView to Infrastucture Administrator role:
curl --insecure \
--header "content-type: application/json" \
--header "accept: application/json" \
--header "X-API-Version: ${currentVersion}" \
--header "auth: ${sessionID}" \
--data '{ "credentials": { "userName": "'"${USER}"'", "password": "'"${PASSW}"'" }, "group2PermissionPerGroup": { "egroup": "'"${DN}"'", "loginDomain": "'"${ADD}"'","permissions": [{ "roleName": "'"${OVGROUP"'" }], "type": "LoginDomainGroupPermission" }, "type": "LoginDomainGroupCredentials" }' \
--request POST ${OneView}/rest/logindomains/grouptorolemapping | jq -r '.'

Putting the OpenView group name into a variable (so that I can repeat with the read-only group).  I still get invalid username or password.  My password currently is all upper/lowercase alphanumerics and a '%' and '#' characters.  I know the username and password is correct because I can log into the active directory administrator with it.  If it makes a difference, our current version of OneView API is 800.  I noticed you were using 1000.

Regards,

Brad

There appears to be a bug in this REST API.  Instead of using the supplied AD credentials, OneView used the stored username and password when I first connected to AD.  For security reasons, our administrative credentials in AD only last for a very short time.  So, the stored password had long ago expired.  So, two issues:

1.  The REST API is not using the provided credentials, but rather the stored credentials.

2.  When making the AD credentials, OneView does not appear to create a trust relationship, but instead appears to expect the username and password to be good for the life of the connection.

Note that I changed the variable, DN, to just be the AD group name and removed the '@${ADD}' portion.

Hi @BradV 

Will check on this.

Regards,
Bhaskar

I have a ticket opened for this.  Tried to send you a private message with the number, but the stupid inteface kept complaining and then finally said I had reached my quota for private messages.  :(

Hi @BradV 

No problem. 
Thanks for getting a ticket opened.
One question for you - 
When you configure the directory in OneView, there are two options in the drop down  - "Service Account" and "User credentials".  If you configure the directory using "Service Account" , the credentials to the Service Account are stored and used by OneView when establishing a connection to the directory.. If you chose "User Account", each time a connection is established to the directory, you will see a popup asking for credentials. 
From the behavior you are describing, most likely the configuration you have may be :"Service Account" based. 
Can you check on this once?

Regards,
Bhaskar