topic Re: API for LDAP Account units in API / CLI Discussion

API for LDAP Account units

Sigbjorn — Thu, 28 May 2020 09:08:27 GMT

Are there plans to implement API calls for LDAP account units?

I'm hoping to automate updating the service account password used to authenticate to the domain controller in a AD Query setup.

Or is there an 'unsupported' way to do this with the generic-object api ?

Re: API for LDAP Account units

Timothy_Hall — Thu, 28 May 2020 14:05:59 GMT

You can probably do this with dbedit, but I wouldn't recommend going that route.

In case you haven't seen it, LDAP/AU objects are listed in the following thread along with other operations that can't be performed through the Management API, and must instead be accomplished through the SmartConsole/SmartDashboard:

https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Functionality-API-vs-SmartConsole/td-p/57563

Re: API for LDAP Account units

PhoneBoy — Sun, 31 May 2020 05:03:17 GMT

@Omer_Kleinstern any insights?

Re: API for LDAP Account units

Omer_Kleinstern — Mon, 01 Jun 2020 16:40:27 GMT

We do not currently support LDAP Account units in Management API, it is in the future plans.

Unfortunately, it is not possible to do via generic-object API.

Re: API for LDAP Account units

JozkoMrkvicka — Mon, 01 Jun 2020 16:57:19 GMT

May I guess? not supported even with R81 ?

Re: API for LDAP Account units

PhoneBoy — Mon, 01 Jun 2020 17:52:19 GMT

It wasn't listed in the R81 EA notes at least.

Re: API for LDAP Account units

Sigbjorn — Tue, 02 Jun 2020 07:44:58 GMT

Thank you for the feedback.. We'll have to make a manual routine then.

Re: API for LDAP Account units

cezar_varlan1 — Mon, 12 Dec 2022 11:36:11 GMT

I would make a movie of this process but it would hit the top 10 - how to waste time doing nothing useful charts.

When you define de LDAP server you need to first have an object defined. Then the object is selected from a drop-down list with no filter/search (think of a customer that has 20000 objects defined) and how you can choose just the starting letter. If the starting letter is for example naming convention for location and it is an A, how many scrolls is that?

Try to do this with countless Smart Console jams and blocks with maybe 5 min waiting time.

Then think of the customer having multiple geographies and 30+ AD Servers to add.

This takes me roughly 2 days to complete and hope that the Smart Console does not go "Not Responding" permanently.

Re: API for LDAP Account units

cezar_varlan1 — Mon, 12 Dec 2022 11:37:17 GMT

Do try this, then please escalate and solve it. I will post the recording in a few days, it will be fun.

Re: API for LDAP Account units

JozkoMrkvicka — Mon, 12 Dec 2022 21:34:34 GMT

I will name the relevant host object starting with "aaaaa", so it will be very first in the drop-down menu. Once selected and published, rename the "aaaaa" host object to your desired name based on naming convention.

Re: API for LDAP Account units

pmo — Tue, 30 May 2023 06:39:58 GMT

Hi Omer,

>it is in the future plans

Any news about this?

Is it possible in R81.10 or R81.20 API to create LDAP Account Units?

Re: API for LDAP Account units

Timothy_Hall — Tue, 30 May 2023 18:41:10 GMT

Doesn't appear possible in the latest R81.20/v1.9 API, see my post here:

Functionality - Mgmt API vs. SmartConsole - Revisited for R81.20/v1.9

Re: API for LDAP Account units

PhoneBoy — Tue, 30 May 2023 18:45:56 GMT

Not in R81.10 or R81.20.
I recommend engaging with your local Check Point office around this requirement.

Re: API for LDAP Account units

Vincent_Bacher — Sun, 22 Feb 2026 11:24:51 GMT

In case anyone is interested:
Since the whole thing still hasn't been implemented, I did it all via psql_client and discovered in the process that you can also spit out the psql results nicely via json.

psql_client cpm postgres -t -c ‘SELECT json_agg(row_to_json(t)) FROM (SELECT name, objid as uid, domainid FROM dleobjectderef_data WHERE cpmitype = “ldap_au” AND dlesession = 0 AND NOT deleted) t;’ | jq .

If I could now send the whole thing to management with the run script, which either doesn't work or I haven't managed to do yet, then I would have a nice API workaround.

This works on multi-domain management. Due to a lack of standard management, I was unable to test it on such a system.

Re: API for LDAP Account units

PhoneBoy — Mon, 23 Feb 2026 17:12:27 GMT

When I was looking at the new API calls supported by R82.10 and R82 JHF 41, I did see API support was added for creating LDAP Groups via the API.
This is not the same as creating the LDAP Account Units themselves, obviously, but it's a step in the right direction.

Given the last couple of maintrain releases (R82, R82.10) have added API support for a lot of legacy object types, the push to make SmartConsole Web usable by the vast majority of our customers for their day-to-day tasks, and LDAP Account Units are an important object type for on-premise Identity Awareness setups, I suspect we will have a formal API for LDAP AUs in a coming release.

Re: API for LDAP Account units

Vincent_Bacher — Mon, 23 Feb 2026 17:26:00 GMT

Thank you for this update.

I don't need to create an au, displaying would be enough for now.
But I understand that this takes a long time, and my project also works with the json from psql_client retrieved via ssh.

Re: API for LDAP Account units

PhoneBoy — Mon, 23 Feb 2026 21:40:14 GMT

Glad you found something workable, which of course could be wrapped in a run-script API call. 🙂