HPE OneView
1829140 Members
2372 Online
109986 Solutions
New Discussion

Mapping AD group to role mapping with REST API

 
SOLVED
Go to solution
BradV
Esteemed Contributor

Mapping AD group to role mapping with REST API

I have defined two groups in AD for use with OneView.  One is to authenticate administrators and one for read-only folks.  When trying to perform, I used: 

USER='myADlogin'
PASSW='myADpassw0rd'
ADD="ADHQ"
# Assign user in the MyGroup_OneView to Infrastucture Administrator role:
curl --insecure \
     --header "content-type: application/json" \
     --header "accept: application/json" \
     --header "X-API-Version: ${currentVersion}" \
     --header "auth: ${sessionID}" \
     --data '{ "credentials": { "userName": "'"${USER}"'", "password": "'"${PASSW}"'" }, "group2PermissionPerGroup": { "egroup": "MyGroup_OneView", "loginDomain": "'"${ADD}"'","permissions": [{ 

"roleName": "Infrastructure Administrator" }], "type": "LoginDomainGroupPermission" }, "type": "LoginDomainGroupCredentials" }' \
     --request POST ${OneView}/rest/logindomains/grouptorolemapping | jq -r '.'

and get back: 

{
  "data": {},
  "nestedErrors": [,
    {
      "data": {},
      "nestedErrors": [],
      "errorSource": null,
      "recommendedActions": [ "Enter correct credentials and try again. To obtain a username or password, contact your administrator." ],
      "details": "Invalid username or password.",
      "message": "Invalid username or password.",
      "errorCode": "AUTHN_AUTH_FAIL"
    }
  ],
  "errorSource": null,
  "recommendedActions": [ "Correct the errors and try again." ],
  "details": "Valid data missing to perform enterprise group to role assignment.",
  "message": "Invalid data, missing data, or both provided for enterprise group to role assignment.",
  "errorCode": "AUTHN_LOGINDOMAIN_GROUP_ROLE_MAPPING_FOR_DOMAIN_VALIDATION_ERROR"
}

I'm not sure what invalid username or credentials it is talking about?  I gave it the correct AD username and AD password.  Is that what it is referencing, or is it OpenView login?  I do already have it joined to the AD domain.  Any ideas?

12 REPLIES 12
Suvamay
HPE Pro

Re: Mapping AD group to role mapping with REST API

Greetings!

Which version of oneview are you using?

Which version of PowerShell are you using?

API is rejecting your credentials. You can use the UPN (user@fqdn.com) of the account that has permissions to authenticate to the LDAP Directory.

 

Thanks

 

I'm an HPE employee.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
BradV
Esteemed Contributor

Re: Mapping AD group to role mapping with REST API

Hi Suvamay,

Not using powershell.  My systems are CentOS/RHEL.  So, just using curl.  Our appliance is at 4.10.01.  Not sure how to change the user@domain?  I tried: 

ADD="ADHQ"
--data '{ "credentials": { "userName": "'"${USER}@${ADD}"'", "password": "'"${PASSW}"'" }, "group2PermissionPerGroup": { "egroup": "MyGroup_OneView", "loginDomain": "'"${ADD}"'","permissions": [{ "roleName": "Infrastructure Administrator" }], "type": "LoginDomainGroupPermission" }, "type": "LoginDomainGroupCredentials" }'

but still got back invalid username or password.

Suvamay
HPE Pro

Re: Mapping AD group to role mapping with REST API

Good Day !!

Check the below URL and follow the string.

https://github.com/HewlettPackard/POSH-HPOneView/wiki/New-HPOVLdapDirectory

 

 

I'm an HPE employee.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
BhaskarV
Trusted Contributor

Re: Mapping AD group to role mapping with REST API

Thanks @Suvamay  for pointing @BradV  to Powershell SDK.

Hi @BradV  -

The powershell cmdlets are very useful and easy to use and are maintained by Chris Lynch so you will get the benefits of the changes / enhancements he makes on an ongoing basis from one version of OneView to another. Not trying to sell powershell to a curl user. 

On the specific issue you are having with the curl script you are working with.
Used the same script that you pasted above.
Made relevant changes for my credentials / server etc.
One specific change was for the role name from "Infrastructure Administrator" to "Infrastructure administrator".
That makes a difference. The "role name" here is the role name you get back from GET /rest/roles API.
In OneView, rolenames are "Infrastructure administrator", "Backup administrator" etc.

#!/bin/bash

 

USER='firstname.lastname@hpe.com'
PASSW='xxxxxxxx@yyyyy'
ADD="mydomain"
# Assign user in the MyGroup_OneView to Infrastucture Administrator role:
curl --insecure \
--header "content-type: application/json" \
--header "accept: application/json" \
--header "X-API-Version: 1000" \
--header "auth: session_id here" \
--data '{ "credentials": { "userName": "'"${USER}"'", "password": "'"${PASSW}"'" }, "group2PermissionPerGroup": { "egroup": "mygroup@hpe.com", "loginDomain": "'"${ADD}"'","permissions": [{

"roleName": "Infrastructure administrator" }], "type": "LoginDomainGroupPermission" }, "type": "LoginDomainGroupCredentials" }' \
--request POST https://<appliance>/rest/logindomains/grouptorolemapping | jq -r '.'

Try this out and let me know. 
If you are running into any "special characters" with the groupname, or domain name etc, we'll need to see.

Regards,
Bhaskar


I am an HPE employee

Accept or Kudo

BradV
Esteemed Contributor

Re: Mapping AD group to role mapping with REST API

Hi Bhashkar,

Not knocking powershell, but we simply have no Windows systems in this environment.

I modified slightly following what you had:

USER='myADlogin'
PASSW='myADpassw0rd'
ADD="ADHQ"
DN="MyGroup_OneView@${ADD}"
OVGROUP="Infrastructure administrator"
echo "Mapping ${DN} to ${OVGROUP} group."
# Assign user in the MyGroup_OneView to Infrastucture Administrator role:
curl --insecure \
--header "content-type: application/json" \
--header "accept: application/json" \
--header "X-API-Version: ${currentVersion}" \
--header "auth: ${sessionID}" \
--data '{ "credentials": { "userName": "'"${USER}"'", "password": "'"${PASSW}"'" }, "group2PermissionPerGroup": { "egroup": "'"${DN}"'", "loginDomain": "'"${ADD}"'","permissions": [{ "roleName": "'"${OVGROUP"'" }], "type": "LoginDomainGroupPermission" }, "type": "LoginDomainGroupCredentials" }' \
--request POST ${OneView}/rest/logindomains/grouptorolemapping | jq -r '.'

Putting the OpenView group name into a variable (so that I can repeat with the read-only group).  I still get invalid username or password.  My password currently is all upper/lowercase alphanumerics and a '%' and '#' characters.  I know the username and password is correct because I can log into the active directory administrator with it.  If it makes a difference, our current version of OneView API is 800.  I noticed you were using 1000.

Regards,

Brad

BradV
Esteemed Contributor

Re: Mapping AD group to role mapping with REST API

There appears to be a bug in this REST API.  Instead of using the supplied AD credentials, OneView used the stored username and password when I first connected to AD.  For security reasons, our administrative credentials in AD only last for a very short time.  So, the stored password had long ago expired.  So, two issues:

 

1.  The REST API is not using the provided credentials, but rather the stored credentials.

2.  When making the AD credentials, OneView does not appear to create a trust relationship, but instead appears to expect the username and password to be good for the life of the connection.

 

Note that I changed the variable, DN, to just be the AD group name and removed the '@${ADD}' portion.

BhaskarV
Trusted Contributor

Re: Mapping AD group to role mapping with REST API

Hi @BradV 

Will check on this.

Regards,
Bhaskar


I am an HPE employee

Accept or Kudo

BradV
Esteemed Contributor

Re: Mapping AD group to role mapping with REST API

I have a ticket opened for this.  Tried to send you a private message with the number, but the stupid inteface kept complaining and then finally said I had reached my quota for private messages.  :(

BhaskarV
Trusted Contributor

Re: Mapping AD group to role mapping with REST API

Hi @BradV 

No problem. 
Thanks for getting a ticket opened.
One question for you - 
When you configure the directory in OneView, there are two options in the drop down  - "Service Account" and "User credentials".  If you configure the directory using "Service Account" , the credentials to the Service Account are stored and used by OneView when establishing a connection to the directory.. If you chose "User Account", each time a connection is established to the directory, you will see a popup asking for credentials. 
From the behavior you are describing, most likely the configuration you have may be :"Service Account" based. 
Can you check on this once?

Regards,
Bhaskar


I am an HPE employee

Accept or Kudo

BradV
Esteemed Contributor

Re: Mapping AD group to role mapping with REST API

Ah, I used the REST API to connect.  I told it directoryBindingType SERVICE_ACCOUNT, but it was really my personal account.  My group is not in control of the active directory.  So, really don't have a service account.  Should I disconnect from AD and then re-connect this time specifying I am using a USER_ACCOUNT?  Attached is the method I used.  I'll add this to my ticket.  Apparently I can't attach a text document?  I'll include it inline: 

# Follow instructions in: OneView-API_Get_Session_Credentials.txt
# First, need to import root certificate of our organization.
ROOTB=$(curl --insecure https://our.org/ca_certs/base64/pkiroot.cer 2>/dev/null | awk 'NF {sub(/\r/,""); printf "%s\\n",$0}' 2>/dev/null)
ROOTB=${ROOTB%'\n'}
ROOTCA=$(curl --insecure \
   --header "content-type: application/json" \
   --header "accept: application/json" \
   --header "X-API-Version: ${currentVersion}" \
   --header "auth: ${sessionID}" \
   --data '{ "members": [{ "type": "CertficateAuthorityInfo", "certificateDetails":{ "base64Data":${ROOTB}", "aliasName": "Our_Org", "type": "CertficateDetailV2"}}], "type": "CertificateAuthorityInfoCollection" }' \
   --request POST ${OneView}/rest/certificates/ca | jq -r '.uri')
# Can check the import status with:
curl --insecure \
     --header "content-type: application/json" \
     --header "accept: application/json" \
     --header "X-API-Version: ${currentVersion}" \
     --header "auth: ${sessionID}" \
     --request GET ${OneView}${ROOTCA} | jq -r '.'
# To see a list of all of the CAs:
curl --insecure \
     --header "content-type: application/json" \
     --header "accept: application/json" \
     --header "X-API-Version: ${currentVersion}" \
     --header "auth: ${sessionID}" \
     --request GET ${OneView}/rest/certificates/ca | jq -r '.'
# Need the host name and ip address of one of our domain controllers.
# Can get this by pinging our domain name:
DC=$(ping -c1 our.org | grep icmp_seq | awk '{ print $4 }')
DCIP=$(/usr/bin/dig +noall +answer ${DC} | awk '{ print $5 }")
echo "Found a domain controller at: ${DC} : ${DCIP}"
# We need the server certificate from that domain controller in a single line:
CHQ=$(echo | \
openssl s_client connect ${DC}:636 | awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}')
# Need to use admin account and password in the AD domain
USER='myADlogin'
PASSW='myADpassw0rd'
ADD="ADHQ"
# Add OneView to AD:
curl --insecure \
     --header "content-type: application/json" \
     --header "accept: application/json" \
     --header "X-API-Version: ${currentVersion}" \
     --header "auth: ${sessionID}" \
     --data '{ "type": "LoginDomainConfigV600", "directoryBindingType": "SERVICE_ACCOUNT", "name": "CentrifyHQ", "credential": { "userName": "'"${USER}"'", "password": "'"${PASSW}"'"}, "authProtocol": "AD", "baseDN": "dc=mycorp,dc=com", "userNamingAttribute": "CN", "orgUnits": [], "directoryServers":[{ "directoryServerCertificateBase64Data": "'"${CHQ}"'", "directoryServerIpAddress": "'"${DCIP}"'", "directoryServerSSLPortNumber": "636", "type": "LoginDomainDirectoryServerInfoDto" }], "authnType": "CREDENTIAL" }' \
     --request POST ${OneView}/rest/logindomains | jq -r '.'
BhaskarV
Trusted Contributor

Re: Mapping AD group to role mapping with REST API

Hi @BradV 

Thank you for sharing the details.
Yes, the SERVICE_ACCOUNT is a single common account that gets persisted in the appliance and gets used to connect and query the directory. As the API docs mention, you may want to switch to the USER_ACCOUNT if you want your credentials to be used just for the API call. Do try that and let me know. When support responds to your ticket, do let them know. 

Regards,
Bhaskar


I am an HPE employee

Accept or Kudo

BradV
Esteemed Contributor
Solution

Re: Mapping AD group to role mapping with REST API

Sorry, I never closed this out.  Since my OneView was rather new, I just deleted and re-created from scratch.  This is how I accomplished mapping AD group to OneView roles with the REST API.  First, get session credentials: 

OneView="<a href="https://server-name.org" target="_blank">https://server-name.org</a>"
PASSW='ourpassword'
# Get API current version:
currentVersion=$(curl --insecure --header "accept: application/json" --request GET ${OneView}/rest/version | jq -r ".currentVersion")
# Get API session ID:
sessionID=$(curl --insecure \
   --header "content-type: application/json" \
   --header "accept: application/json" \
   --header "X-API-Version: ${currentVersion}" \
   --data '{"userName": "administrator", "password":"${PASSW}"}' \
   --request POST ${OneView}/rest/login-sessions | jq -r ".sessionID")
echo "Your current session ID is: ${sessionID}
This ID will last for 24 hours.  The current API version is: ${currentVersion}."

Then, connect to active directory: 

# Follow instructions in: OneView-API_Get_Session_Credentials.txt
# First, need to import root certificate of our organization.
ROOTB=$(curl --insecure <a href="https://our.org/ca_certs/base64/pkiroot.cer" target="_blank">https://our.org/ca_certs/base64/pkiroot.cer</a> 2>/dev/null | awk 'NF {sub(/\r/,""); printf "%s\\n",$0}' 2>/dev/null)
ROOTB=${ROOTB%'\n'}
ROOTCA=$(curl --insecure \
   --header "content-type: application/json" \
   --header "accept: application/json" \
   --header "X-API-Version: ${currentVersion}" \
   --header "auth: ${sessionID}" \
   --data '{ "members": [{ "type": "CertficateAuthorityInfo", "certificateDetails":{ "base64Data":${ROOTB}", "aliasName": "Our_Org", "type": "CertficateDetailV2"}}], "type": "CertificateAuthorityInfoCollection" }' \
   --request POST ${OneView}/rest/certificates/ca | jq -r '.uri')
# Can check the import status with:
curl --insecure \
     --header "content-type: application/json" \
     --header "accept: application/json" \
     --header "X-API-Version: ${currentVersion}" \
     --header "auth: ${sessionID}" \
     --request GET ${OneView}${ROOTCA} | jq -r '.'
# To see a list of all of the CAs:
curl --insecure \
     --header "content-type: application/json" \
     --header "accept: application/json" \
     --header "X-API-Version: ${currentVersion}" \
     --header "auth: ${sessionID}" \
     --request GET ${OneView}/rest/certificates/ca | jq -r '.'
# Need the host name and ip address of one of our domain controllers.
# Can get this by pinging our domain name:
DC=$(ping -c1 our.org | grep icmp_seq | awk '{ print $4 }')
DCIP=$(/usr/bin/dig +noall +answer ${DC} | awk '{ print $5 }")
echo "Found a domain controller at: ${DC} : ${DCIP}"
# We need the server certificate from that domain controller in a single line:
CHQ=$(echo | \
openssl s_client connect ${DC}:636 | awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}')
# Need to use admin account and password in the AD domain
USER='myADlogin'
PASSW='myADpassw0rd'
ADD="ADHQ"
# Add OneView to AD:
curl --insecure \
     --header "content-type: application/json" \
     --header "accept: application/json" \
     --header "X-API-Version: ${currentVersion}" \
     --header "auth: ${sessionID}" \
     --data '{ "type": "LoginDomainConfigV600", "directoryBindingType": "USER_ACCOUNT", "name": "CentrifyHQ", "credential": { "userName": "'"${USER}"'", "password": "'"${PASSW}"'"}, "authProtocol": "AD", "baseDN": "dc=mycorp,dc=com", "userNamingAttribute": "CN", "orgUnits": [], "directoryServers":[{ "directoryServerCertificateBase64Data": "'"${CHQ}"'", "directoryServerIpAddress": "'"${DCIP}"'", "directoryServerSSLPortNumber": "636", "type": "LoginDomainDirectoryServerInfoDto" }], "authnType": "CREDENTIAL" }' \
     --request POST ${OneView}/rest/logindomains | jq -r '.'

Then make your AD group to OneView role mappings: 

# Need to use admin account and password in the AD domain
USER='myADlogin'
PASSW='myADpassw0rd'
ADD="ADHQ"
#
# Retrieve a listing of groups from AD:
curl --insecure \
     --header "content-type: application/json" \
     --header "X-API-Version: ${currentVersion}" \
     --header "auth: ${sessionID}" \
     --data '{ "authLoginDomain":"'${ADD}'", "password":"'${PASSW}'", "userName":"'${USER}'" }' \
     --request POST ${OneView}/rest/logindomains/groups | jq -r '.'
#
# To retrieve any current role mappings:
curl --insecure \
     --header "X-API-Version: ${currentVersion}" \
     --header "auth: ${sessionID}" \
     --request GET ${OneView}/rest/logindomains/grouptorolemapping | jq -r '.'
#
# To assign a group to a role:
DN="MyGroup_OneView"
OVGROUP="Infrastructure administrator"
DATA='{ "credentials": { "userName": "'${USER}'", "password": "'${PASSW}'" }, "group2PermissionPerGroup": { "egroup": "'${DN}'", "loginDomain": 

"'${ADD}'","permissions": [{ "roleName": "'${OVGROUP}'" }], "type": "LoginDomainGroupPermission" }, "type": "LoginDomainGroupCredentials" }'
echo "Mapping ${DN} to ${OVGROUP} group using this data:"
echo "${DATA}" | jq -r '.'
# Assign user in the MyGroup_OneView to Infrastucture Administrator role:
curl --insecure \
     --header "content-type: application/json" \
     --header "X-API-Version: ${currentVersion}" \
     --header "auth: ${sessionID}" \
     --data "${DATA}" \
     --request POST ${OneView}/rest/logindomains/grouptorolemapping | jq -r '.'
#
# Repeat for read-only group:
DN="ReadGroup_OneView"
OVGROUP="Read only"
DATA='{ "credentials": { "userName": "'${USER}'", "password": "'${PASSW}'" }, "group2PermissionPerGroup": { "egroup": "'${DN}'", "loginDomain": 

"'${ADD}'","permissions": [{ "roleName": "'${OVGROUP}'" }], "type": "LoginDomainGroupPermission" }, "type": "LoginDomainGroupCredentials" }'
echo "Mapping ${DN} to ${OVGROUP} group using this data:"
echo "${DATA}" | jq -r '.'