topic Re: mgmt_cli command needed to list all AD-Groups used in all Access Roles in API / CLI Discussion

mgmt_cli command needed to list all AD-Groups used in all Access Roles

Carsten_Weber — Sat, 07 Mar 2020 15:41:00 GMT

Hi all,

while I am still fighting to list the content of a specific Access Role (AR) within an other post of mine using this:
To get the doamin ID in an MDM environment:
psql_client cpm postgres -c"select objid,name from domainbase_data where dlesession=0 and not deleted;"

To log in an create a session:
mgmt_cli login user "<myRADIUSuser>" password "<myRADIUSpin+CURRENTtokenCODE>" > sid.txt.$$

To resuse the session and execute commands related to a specific domain (ID from above):
mgmt_cli -s sid.txt.$$ -d <domain_ID> show access-role name "<Access_Role_name>"

...I also need to list alle AD-Groups used in any AR in general (not the ARs them self).

Does someone have an idea and could give me a hint? There was a command in R77.30 to do exactly that: list alle AD-Groups used. Unfortunately I have to do it again but now in R80.30. Listing all ARs would not help as such.

I'm not a pro in scripting. A oneliner that could be used with mgmt_cli would be great.
I am just about able to utilize a filter as well" | $CPDIR/jq/jq '<filter_terms>' "

For some reason, when trying to list at least the ARs I get this:
mgmt_cli -s sid.txt.$$ -d <domain_ID> show access-roles
objects: []
total: 0

I do need this to replace Active Directory Groups with new ones as we are migrating into another Active Domain. The result of the above query would feed into a Firewall Change Request to replace each Group with the new one accordingly. This way we won't miss anything.

I'm lost 🙄
Thanks in advance for your thoughts

regards
Carsten

Re: mgmt_cli command needed to list all AD-Groups used in all Access Roles

PhoneBoy — Sat, 07 Mar 2020 07:18:18 GMT

Remember to use "mgmt" from clish or "mgmt_cli" from expert, you need to login to create a session.
It's in this command where you specify which domain you want to query, not the subsequent show access-roles.
The session ID will determine what CMA is being queried.
Not sure what happens on MDS if you use clish to log in and you don't specify the domain, but I'm guessing it's the global domain, which obviously won't have these access roles defined.

Re: mgmt_cli command needed to list all AD-Groups used in all Access Roles

Maarten_Sjouw — Sat, 07 Mar 2020 08:01:19 GMT

When you want to use a oneliner from expert you can update your command like this:
mgmt_cli -r true -d <domain_ID> show access-role name "<Access_Role_name>"
-r true uses the root privs and will only execute this command and logout again.

Re: mgmt_cli command needed to list all AD-Groups used in all Access Roles

Carsten_Weber — Sat, 07 Mar 2020 13:17:47 GMT

Thanks, I am aware of the login through your responses to the ohter post.

To make this more clear I did added it to my post above just now.

Re: mgmt_cli command needed to list all AD-Groups used in all Access Roles

Maarten_Sjouw — Sat, 07 Mar 2020 15:36:55 GMT

But again you are making the same mistake, you cannot use a -d <domain> on a normal command line, this can only be used on the login line:
mgmt_cli login user "<myRADIUSuser>" password "<myRADIUSpin+CURRENTtokenCODE> -d <domain> > sid.txt
mgmt_cli -s sid.txt show access-role name "<Access_Role_name>"
mgmt_cli logout -s sid.txt

You achieve the same by using:
mgmt_cli -r true -d <domain> show access-role name "<Access_Role_name>"

Re: mgmt_cli command needed to list all AD-Groups used in all Access Roles

Carsten_Weber — Sat, 07 Mar 2020 15:40:15 GMT

Ah, I now understand, ok. I'll try that. I must have done it like that by accident the first time it was working for another command.

Re: mgmt_cli command needed to list all AD-Groups used in all Access Roles

PhoneBoy — Sat, 07 Mar 2020 22:27:05 GMT

It goes back to what I explained last week here: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Showing-existing-Access-Role-results-in-error/m-p/76609/highlight/true#M4473

To work with mgmt_cli/mgmt you have to operate the way the API expects.
-r true is a "shortcut" that handles all the steps for you.
-r true requires --domain in an MDS environment to ensure you are working on the correct domain.
Otherwise, the only time you specify the domain as part of the login process.
Note that a session can only operate within a single domain.
Make sense?

Re: mgmt_cli command needed to list all AD-Groups used in all Access Roles

Carsten_Weber — Fri, 22 May 2020 14:54:26 GMT

Hello all,

I posted a solution under the following forum post: here

Thanks a lot for all the imput that helped me working this out!

Carsten