- Community Home
- >
- Software
- >
- HPE OneView
- >
- Mapping AD group to role mapping with REST API
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-15-2019 02:36 AM
02-15-2019 02:36 AM
Re: Mapping AD group to role mapping with REST API
Ah, I used the REST API to connect. I told it directoryBindingType SERVICE_ACCOUNT, but it was really my personal account. My group is not in control of the active directory. So, really don't have a service account. Should I disconnect from AD and then re-connect this time specifying I am using a USER_ACCOUNT? Attached is the method I used. I'll add this to my ticket. Apparently I can't attach a text document? I'll include it inline:
# Follow instructions in: OneView-API_Get_Session_Credentials.txt # First, need to import root certificate of our organization. ROOTB=$(curl --insecure https://our.org/ca_certs/base64/pkiroot.cer 2>/dev/null | awk 'NF {sub(/\r/,""); printf "%s\\n",$0}' 2>/dev/null) ROOTB=${ROOTB%'\n'} ROOTCA=$(curl --insecure \ --header "content-type: application/json" \ --header "accept: application/json" \ --header "X-API-Version: ${currentVersion}" \ --header "auth: ${sessionID}" \ --data '{ "members": [{ "type": "CertficateAuthorityInfo", "certificateDetails":{ "base64Data":${ROOTB}", "aliasName": "Our_Org", "type": "CertficateDetailV2"}}], "type": "CertificateAuthorityInfoCollection" }' \ --request POST ${OneView}/rest/certificates/ca | jq -r '.uri') # Can check the import status with: curl --insecure \ --header "content-type: application/json" \ --header "accept: application/json" \ --header "X-API-Version: ${currentVersion}" \ --header "auth: ${sessionID}" \ --request GET ${OneView}${ROOTCA} | jq -r '.' # To see a list of all of the CAs: curl --insecure \ --header "content-type: application/json" \ --header "accept: application/json" \ --header "X-API-Version: ${currentVersion}" \ --header "auth: ${sessionID}" \ --request GET ${OneView}/rest/certificates/ca | jq -r '.' # Need the host name and ip address of one of our domain controllers. # Can get this by pinging our domain name: DC=$(ping -c1 our.org | grep icmp_seq | awk '{ print $4 }') DCIP=$(/usr/bin/dig +noall +answer ${DC} | awk '{ print $5 }") echo "Found a domain controller at: ${DC} : ${DCIP}" # We need the server certificate from that domain controller in a single line: CHQ=$(echo | \ openssl s_client connect ${DC}:636 | awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}') # Need to use admin account and password in the AD domain USER='myADlogin' PASSW='myADpassw0rd' ADD="ADHQ" # Add OneView to AD: curl --insecure \ --header "content-type: application/json" \ --header "accept: application/json" \ --header "X-API-Version: ${currentVersion}" \ --header "auth: ${sessionID}" \ --data '{ "type": "LoginDomainConfigV600", "directoryBindingType": "SERVICE_ACCOUNT", "name": "CentrifyHQ", "credential": { "userName": "'"${USER}"'", "password": "'"${PASSW}"'"}, "authProtocol": "AD", "baseDN": "dc=mycorp,dc=com", "userNamingAttribute": "CN", "orgUnits": [], "directoryServers":[{ "directoryServerCertificateBase64Data": "'"${CHQ}"'", "directoryServerIpAddress": "'"${DCIP}"'", "directoryServerSSLPortNumber": "636", "type": "LoginDomainDirectoryServerInfoDto" }], "authnType": "CREDENTIAL" }' \ --request POST ${OneView}/rest/logindomains | jq -r '.'
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-15-2019 04:53 AM
02-15-2019 04:53 AM
Re: Mapping AD group to role mapping with REST API
Hi @BradV
Thank you for sharing the details.
Yes, the SERVICE_ACCOUNT is a single common account that gets persisted in the appliance and gets used to connect and query the directory. As the API docs mention, you may want to switch to the USER_ACCOUNT if you want your credentials to be used just for the API call. Do try that and let me know. When support responds to your ticket, do let them know.
Regards,
Bhaskar
I am an HPE employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-30-2019 03:25 AM
07-30-2019 03:25 AM
SolutionSorry, I never closed this out. Since my OneView was rather new, I just deleted and re-created from scratch. This is how I accomplished mapping AD group to OneView roles with the REST API. First, get session credentials:
OneView="<a href="https://server-name.org" target="_blank">https://server-name.org</a>"
PASSW='ourpassword'
# Get API current version:
currentVersion=$(curl --insecure --header "accept: application/json" --request GET ${OneView}/rest/version | jq -r ".currentVersion")
# Get API session ID:
sessionID=$(curl --insecure \
--header "content-type: application/json" \
--header "accept: application/json" \
--header "X-API-Version: ${currentVersion}" \
--data '{"userName": "administrator", "password":"${PASSW}"}' \
--request POST ${OneView}/rest/login-sessions | jq -r ".sessionID")
echo "Your current session ID is: ${sessionID}
This ID will last for 24 hours. The current API version is: ${currentVersion}."
Then, connect to active directory:
# Follow instructions in: OneView-API_Get_Session_Credentials.txt
# First, need to import root certificate of our organization.
ROOTB=$(curl --insecure <a href="https://our.org/ca_certs/base64/pkiroot.cer" target="_blank">https://our.org/ca_certs/base64/pkiroot.cer</a> 2>/dev/null | awk 'NF {sub(/\r/,""); printf "%s\\n",$0}' 2>/dev/null)
ROOTB=${ROOTB%'\n'}
ROOTCA=$(curl --insecure \
--header "content-type: application/json" \
--header "accept: application/json" \
--header "X-API-Version: ${currentVersion}" \
--header "auth: ${sessionID}" \
--data '{ "members": [{ "type": "CertficateAuthorityInfo", "certificateDetails":{ "base64Data":${ROOTB}", "aliasName": "Our_Org", "type": "CertficateDetailV2"}}], "type": "CertificateAuthorityInfoCollection" }' \
--request POST ${OneView}/rest/certificates/ca | jq -r '.uri')
# Can check the import status with:
curl --insecure \
--header "content-type: application/json" \
--header "accept: application/json" \
--header "X-API-Version: ${currentVersion}" \
--header "auth: ${sessionID}" \
--request GET ${OneView}${ROOTCA} | jq -r '.'
# To see a list of all of the CAs:
curl --insecure \
--header "content-type: application/json" \
--header "accept: application/json" \
--header "X-API-Version: ${currentVersion}" \
--header "auth: ${sessionID}" \
--request GET ${OneView}/rest/certificates/ca | jq -r '.'
# Need the host name and ip address of one of our domain controllers.
# Can get this by pinging our domain name:
DC=$(ping -c1 our.org | grep icmp_seq | awk '{ print $4 }')
DCIP=$(/usr/bin/dig +noall +answer ${DC} | awk '{ print $5 }")
echo "Found a domain controller at: ${DC} : ${DCIP}"
# We need the server certificate from that domain controller in a single line:
CHQ=$(echo | \
openssl s_client connect ${DC}:636 | awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}')
# Need to use admin account and password in the AD domain
USER='myADlogin'
PASSW='myADpassw0rd'
ADD="ADHQ"
# Add OneView to AD:
curl --insecure \
--header "content-type: application/json" \
--header "accept: application/json" \
--header "X-API-Version: ${currentVersion}" \
--header "auth: ${sessionID}" \
--data '{ "type": "LoginDomainConfigV600", "directoryBindingType": "USER_ACCOUNT", "name": "CentrifyHQ", "credential": { "userName": "'"${USER}"'", "password": "'"${PASSW}"'"}, "authProtocol": "AD", "baseDN": "dc=mycorp,dc=com", "userNamingAttribute": "CN", "orgUnits": [], "directoryServers":[{ "directoryServerCertificateBase64Data": "'"${CHQ}"'", "directoryServerIpAddress": "'"${DCIP}"'", "directoryServerSSLPortNumber": "636", "type": "LoginDomainDirectoryServerInfoDto" }], "authnType": "CREDENTIAL" }' \
--request POST ${OneView}/rest/logindomains | jq -r '.'
Then make your AD group to OneView role mappings:
# Need to use admin account and password in the AD domain
USER='myADlogin'
PASSW='myADpassw0rd'
ADD="ADHQ"
#
# Retrieve a listing of groups from AD:
curl --insecure \
--header "content-type: application/json" \
--header "X-API-Version: ${currentVersion}" \
--header "auth: ${sessionID}" \
--data '{ "authLoginDomain":"'${ADD}'", "password":"'${PASSW}'", "userName":"'${USER}'" }' \
--request POST ${OneView}/rest/logindomains/groups | jq -r '.'
#
# To retrieve any current role mappings:
curl --insecure \
--header "X-API-Version: ${currentVersion}" \
--header "auth: ${sessionID}" \
--request GET ${OneView}/rest/logindomains/grouptorolemapping | jq -r '.'
#
# To assign a group to a role:
DN="MyGroup_OneView"
OVGROUP="Infrastructure administrator"
DATA='{ "credentials": { "userName": "'${USER}'", "password": "'${PASSW}'" }, "group2PermissionPerGroup": { "egroup": "'${DN}'", "loginDomain":
"'${ADD}'","permissions": [{ "roleName": "'${OVGROUP}'" }], "type": "LoginDomainGroupPermission" }, "type": "LoginDomainGroupCredentials" }'
echo "Mapping ${DN} to ${OVGROUP} group using this data:"
echo "${DATA}" | jq -r '.'
# Assign user in the MyGroup_OneView to Infrastucture Administrator role:
curl --insecure \
--header "content-type: application/json" \
--header "X-API-Version: ${currentVersion}" \
--header "auth: ${sessionID}" \
--data "${DATA}" \
--request POST ${OneView}/rest/logindomains/grouptorolemapping | jq -r '.'
#
# Repeat for read-only group:
DN="ReadGroup_OneView"
OVGROUP="Read only"
DATA='{ "credentials": { "userName": "'${USER}'", "password": "'${PASSW}'" }, "group2PermissionPerGroup": { "egroup": "'${DN}'", "loginDomain":
"'${ADD}'","permissions": [{ "roleName": "'${OVGROUP}'" }], "type": "LoginDomainGroupPermission" }, "type": "LoginDomainGroupCredentials" }'
echo "Mapping ${DN} to ${OVGROUP} group using this data:"
echo "${DATA}" | jq -r '.'
- « Previous
-
- 1
- 2
- Next »