HPE Community
HPE OneView
1753792 Members
7269 Online
108799 Solutions
New Discussion

Mapping AD group to role mapping with REST API

 
SOLVED
Go to solution
BradV
Esteemed Contributor

‎02-15-2019 02:36 AM

‎02-15-2019 02:36 AM

Re: Mapping AD group to role mapping with REST API

Ah, I used the REST API to connect.  I told it directoryBindingType SERVICE_ACCOUNT, but it was really my personal account.  My group is not in control of the active directory.  So, really don't have a service account.  Should I disconnect from AD and then re-connect this time specifying I am using a USER_ACCOUNT?  Attached is the method I used.  I'll add this to my ticket.  Apparently I can't attach a text document?  I'll include it inline: 

# Follow instructions in: OneView-API_Get_Session_Credentials.txt
# First, need to import root certificate of our organization.
ROOTB=$(curl --insecure https://our.org/ca_certs/base64/pkiroot.cer 2>/dev/null | awk 'NF {sub(/\r/,""); printf "%s\\n",$0}' 2>/dev/null)
ROOTB=${ROOTB%'\n'}
ROOTCA=$(curl --insecure \
   --header "content-type: application/json" \
   --header "accept: application/json" \
   --header "X-API-Version: ${currentVersion}" \
   --header "auth: ${sessionID}" \
   --data '{ "members": [{ "type": "CertficateAuthorityInfo", "certificateDetails":{ "base64Data":${ROOTB}", "aliasName": "Our_Org", "type": "CertficateDetailV2"}}], "type": "CertificateAuthorityInfoCollection" }' \
   --request POST ${OneView}/rest/certificates/ca | jq -r '.uri')
# Can check the import status with:
curl --insecure \
     --header "content-type: application/json" \
     --header "accept: application/json" \
     --header "X-API-Version: ${currentVersion}" \
     --header "auth: ${sessionID}" \
     --request GET ${OneView}${ROOTCA} | jq -r '.'
# To see a list of all of the CAs:
curl --insecure \
     --header "content-type: application/json" \
     --header "accept: application/json" \
     --header "X-API-Version: ${currentVersion}" \
     --header "auth: ${sessionID}" \
     --request GET ${OneView}/rest/certificates/ca | jq -r '.'
# Need the host name and ip address of one of our domain controllers.
# Can get this by pinging our domain name:
DC=$(ping -c1 our.org | grep icmp_seq | awk '{ print $4 }')
DCIP=$(/usr/bin/dig +noall +answer ${DC} | awk '{ print $5 }")
echo "Found a domain controller at: ${DC} : ${DCIP}"
# We need the server certificate from that domain controller in a single line:
CHQ=$(echo | \
openssl s_client connect ${DC}:636 | awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}')
# Need to use admin account and password in the AD domain
USER='myADlogin'
PASSW='myADpassw0rd'
ADD="ADHQ"
# Add OneView to AD:
curl --insecure \
     --header "content-type: application/json" \
     --header "accept: application/json" \
     --header "X-API-Version: ${currentVersion}" \
     --header "auth: ${sessionID}" \
     --data '{ "type": "LoginDomainConfigV600", "directoryBindingType": "SERVICE_ACCOUNT", "name": "CentrifyHQ", "credential": { "userName": "'"${USER}"'", "password": "'"${PASSW}"'"}, "authProtocol": "AD", "baseDN": "dc=mycorp,dc=com", "userNamingAttribute": "CN", "orgUnits": [], "directoryServers":[{ "directoryServerCertificateBase64Data": "'"${CHQ}"'", "directoryServerIpAddress": "'"${DCIP}"'", "directoryServerSSLPortNumber": "636", "type": "LoginDomainDirectoryServerInfoDto" }], "authnType": "CREDENTIAL" }' \
     --request POST ${OneView}/rest/logindomains | jq -r '.'
0 Kudos
Reply
BhaskarV
Trusted Contributor

‎02-15-2019 04:53 AM

‎02-15-2019 04:53 AM

Re: Mapping AD group to role mapping with REST API

Hi @BradV 

Thank you for sharing the details.
Yes, the SERVICE_ACCOUNT is a single common account that gets persisted in the appliance and gets used to connect and query the directory. As the API docs mention, you may want to switch to the USER_ACCOUNT if you want your credentials to be used just for the API call. Do try that and let me know. When support responds to your ticket, do let them know. 

Regards,
Bhaskar


I am an HPE employee

Accept or Kudo

0 Kudos
Reply
BradV
Esteemed Contributor

‎07-30-2019 03:25 AM

‎07-30-2019 03:25 AM

Solution

Re: Mapping AD group to role mapping with REST API

Sorry, I never closed this out.  Since my OneView was rather new, I just deleted and re-created from scratch.  This is how I accomplished mapping AD group to OneView roles with the REST API.  First, get session credentials: 

OneView="<a href="https://server-name.org" target="_blank">https://server-name.org</a>"
PASSW='ourpassword'
# Get API current version:
currentVersion=$(curl --insecure --header "accept: application/json" --request GET ${OneView}/rest/version | jq -r ".currentVersion")
# Get API session ID:
sessionID=$(curl --insecure \
   --header "content-type: application/json" \
   --header "accept: application/json" \
   --header "X-API-Version: ${currentVersion}" \
   --data '{"userName": "administrator", "password":"${PASSW}"}' \
   --request POST ${OneView}/rest/login-sessions | jq -r ".sessionID")
echo "Your current session ID is: ${sessionID}
This ID will last for 24 hours.  The current API version is: ${currentVersion}."

Then, connect to active directory: 

# Follow instructions in: OneView-API_Get_Session_Credentials.txt
# First, need to import root certificate of our organization.
ROOTB=$(curl --insecure <a href="https://our.org/ca_certs/base64/pkiroot.cer" target="_blank">https://our.org/ca_certs/base64/pkiroot.cer</a> 2>/dev/null | awk 'NF {sub(/\r/,""); printf "%s\\n",$0}' 2>/dev/null)
ROOTB=${ROOTB%'\n'}
ROOTCA=$(curl --insecure \
   --header "content-type: application/json" \
   --header "accept: application/json" \
   --header "X-API-Version: ${currentVersion}" \
   --header "auth: ${sessionID}" \
   --data '{ "members": [{ "type": "CertficateAuthorityInfo", "certificateDetails":{ "base64Data":${ROOTB}", "aliasName": "Our_Org", "type": "CertficateDetailV2"}}], "type": "CertificateAuthorityInfoCollection" }' \
   --request POST ${OneView}/rest/certificates/ca | jq -r '.uri')
# Can check the import status with:
curl --insecure \
     --header "content-type: application/json" \
     --header "accept: application/json" \
     --header "X-API-Version: ${currentVersion}" \
     --header "auth: ${sessionID}" \
     --request GET ${OneView}${ROOTCA} | jq -r '.'
# To see a list of all of the CAs:
curl --insecure \
     --header "content-type: application/json" \
     --header "accept: application/json" \
     --header "X-API-Version: ${currentVersion}" \
     --header "auth: ${sessionID}" \
     --request GET ${OneView}/rest/certificates/ca | jq -r '.'
# Need the host name and ip address of one of our domain controllers.
# Can get this by pinging our domain name:
DC=$(ping -c1 our.org | grep icmp_seq | awk '{ print $4 }')
DCIP=$(/usr/bin/dig +noall +answer ${DC} | awk '{ print $5 }")
echo "Found a domain controller at: ${DC} : ${DCIP}"
# We need the server certificate from that domain controller in a single line:
CHQ=$(echo | \
openssl s_client connect ${DC}:636 | awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}')
# Need to use admin account and password in the AD domain
USER='myADlogin'
PASSW='myADpassw0rd'
ADD="ADHQ"
# Add OneView to AD:
curl --insecure \
     --header "content-type: application/json" \
     --header "accept: application/json" \
     --header "X-API-Version: ${currentVersion}" \
     --header "auth: ${sessionID}" \
     --data '{ "type": "LoginDomainConfigV600", "directoryBindingType": "USER_ACCOUNT", "name": "CentrifyHQ", "credential": { "userName": "'"${USER}"'", "password": "'"${PASSW}"'"}, "authProtocol": "AD", "baseDN": "dc=mycorp,dc=com", "userNamingAttribute": "CN", "orgUnits": [], "directoryServers":[{ "directoryServerCertificateBase64Data": "'"${CHQ}"'", "directoryServerIpAddress": "'"${DCIP}"'", "directoryServerSSLPortNumber": "636", "type": "LoginDomainDirectoryServerInfoDto" }], "authnType": "CREDENTIAL" }' \
     --request POST ${OneView}/rest/logindomains | jq -r '.'

Then make your AD group to OneView role mappings: 

# Need to use admin account and password in the AD domain
USER='myADlogin'
PASSW='myADpassw0rd'
ADD="ADHQ"
#
# Retrieve a listing of groups from AD:
curl --insecure \
     --header "content-type: application/json" \
     --header "X-API-Version: ${currentVersion}" \
     --header "auth: ${sessionID}" \
     --data '{ "authLoginDomain":"'${ADD}'", "password":"'${PASSW}'", "userName":"'${USER}'" }' \
     --request POST ${OneView}/rest/logindomains/groups | jq -r '.'
#
# To retrieve any current role mappings:
curl --insecure \
     --header "X-API-Version: ${currentVersion}" \
     --header "auth: ${sessionID}" \
     --request GET ${OneView}/rest/logindomains/grouptorolemapping | jq -r '.'
#
# To assign a group to a role:
DN="MyGroup_OneView"
OVGROUP="Infrastructure administrator"
DATA='{ "credentials": { "userName": "'${USER}'", "password": "'${PASSW}'" }, "group2PermissionPerGroup": { "egroup": "'${DN}'", "loginDomain": 

"'${ADD}'","permissions": [{ "roleName": "'${OVGROUP}'" }], "type": "LoginDomainGroupPermission" }, "type": "LoginDomainGroupCredentials" }'
echo "Mapping ${DN} to ${OVGROUP} group using this data:"
echo "${DATA}" | jq -r '.'
# Assign user in the MyGroup_OneView to Infrastucture Administrator role:
curl --insecure \
     --header "content-type: application/json" \
     --header "X-API-Version: ${currentVersion}" \
     --header "auth: ${sessionID}" \
     --data "${DATA}" \
     --request POST ${OneView}/rest/logindomains/grouptorolemapping | jq -r '.'
#
# Repeat for read-only group:
DN="ReadGroup_OneView"
OVGROUP="Read only"
DATA='{ "credentials": { "userName": "'${USER}'", "password": "'${PASSW}'" }, "group2PermissionPerGroup": { "egroup": "'${DN}'", "loginDomain": 

"'${ADD}'","permissions": [{ "roleName": "'${OVGROUP}'" }], "type": "LoginDomainGroupPermission" }, "type": "LoginDomainGroupCredentials" }'
echo "Mapping ${DN} to ${OVGROUP} group using this data:"
echo "${DATA}" | jq -r '.'
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.