Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Carsten_Weber
Contributor
Jump to solution

mgmt_cli command needed to list all AD-Groups used in all Access Roles

Hi all,

while I am still fighting to list the content of a specific Access Role (AR) within an other post of mine using this:
To get the doamin ID in an MDM environment:
psql_client cpm postgres -c"select objid,name from domainbase_data where dlesession=0 and not deleted;"

To log in an create a session:
mgmt_cli login user "<myRADIUSuser>" password "<myRADIUSpin+CURRENTtokenCODE>" > sid.txt.$$

To resuse the session and execute commands related to a specific domain (ID from above):
mgmt_cli -s sid.txt.$$ -d <domain_ID> show access-role name "<Access_Role_name>" 


 

...I also need to list alle AD-Groups used in any AR in general (not the ARs them self).

Does someone have an idea and could give me a hint? There was a command in R77.30 to do exactly that: list alle AD-Groups used. Unfortunately I have to do it again but now in R80.30. Listing all ARs would not help as such.

I'm not a pro in scripting. A oneliner that could be used with mgmt_cli would be great.
I am just about able to utilize a filter as well" | $CPDIR/jq/jq '<filter_terms>' "

For some reason, when trying to list at least the ARs I get this:
mgmt_cli -s sid.txt.$$ -d <domain_ID> show access-roles
objects: []
total: 0


I do need this to replace Active Directory Groups with new ones as we are migrating into another Active Domain. The result of the above query would feed into a Firewall Change Request to replace each Group with the new one accordingly. This way we won't miss anything.

I'm lost 🙄
Thanks in advance for your thoughts

regards
Carsten

0 Kudos
1 Solution

Accepted Solutions
Carsten_Weber
Contributor

Hello all,

I posted a solution under the following forum post: here

Thanks a lot for all the imput that helped me working this out!

BR

Carsten

View solution in original post

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
Remember to use "mgmt" from clish or "mgmt_cli" from expert, you need to login to create a session.
It's in this command where you specify which domain you want to query, not the subsequent show access-roles.
The session ID will determine what CMA is being queried.
Not sure what happens on MDS if you use clish to log in and you don't specify the domain, but I'm guessing it's the global domain, which obviously won't have these access roles defined.
0 Kudos
Maarten_Sjouw
Champion
Champion
When you want to use a oneliner from expert you can update your command like this:
mgmt_cli -r true -d <domain_ID> show access-role name "<Access_Role_name>"
-r true uses the root privs and will only execute this command and logout again.
Regards, Maarten
0 Kudos
Carsten_Weber
Contributor

Thanks, I am aware of the login through your responses to the ohter post.

To make this more clear I did added it to my post above just now.

0 Kudos
Maarten_Sjouw
Champion
Champion
But again you are making the same mistake, you cannot use a -d <domain> on a normal command line, this can only be used on the login line:
mgmt_cli login user "<myRADIUSuser>" password "<myRADIUSpin+CURRENTtokenCODE> -d <domain> > sid.txt
mgmt_cli -s sid.txt show access-role name "<Access_Role_name>"
mgmt_cli logout -s sid.txt

You achieve the same by using:
mgmt_cli -r true -d <domain> show access-role name "<Access_Role_name>"
Regards, Maarten
0 Kudos
Carsten_Weber
Contributor

Ah, I now understand, ok. I'll try that. I must have done it like that by accident the first time it was working for another command.

0 Kudos
PhoneBoy
Admin
Admin
It goes back to what I explained last week here: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Showing-existing-Access-Role-resu...

To work with mgmt_cli/mgmt you have to operate the way the API expects.
-r true is a "shortcut" that handles all the steps for you.
-r true requires --domain in an MDS environment to ensure you are working on the correct domain.
Otherwise, the only time you specify the domain as part of the login process.
Note that a session can only operate within a single domain.
Make sense?

0 Kudos
Carsten_Weber
Contributor

Hello all,

I posted a solution under the following forum post: here

Thanks a lot for all the imput that helped me working this out!

BR

Carsten

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events