Re: API for LDAP Account units

Sigbjorn · ‎2020-05-28

Are there plans to implement API calls for LDAP account units?

I'm hoping to automate updating the service account password used to authenticate to the domain controller in a AD Query setup.

Or is there an 'unsupported' way to do this with the generic-object api ?

Timothy_Hall · ‎2020-05-28

You can probably do this with dbedit, but I wouldn't recommend going that route.

In case you haven't seen it, LDAP/AU objects are listed in the following thread along with other operations that can't be performed through the Management API, and must instead be accomplished through the SmartConsole/SmartDashboard:

https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Functionality-API-vs-SmartConsole...

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

PhoneBoy · ‎2020-05-30

@Omer_Kleinstern any insights?

Omer_Kleinstern · ‎2020-06-01

We do not currently support LDAP Account units in Management API, it is in the future plans.

Unfortunately, it is not possible to do via generic-object API.

JozkoMrkvicka · ‎2020-06-01

May I guess? not supported even with R81 ?

Kind regards,
Jozko Mrkvicka

PhoneBoy · ‎2020-06-01

It wasn't listed in the R81 EA notes at least.

Sigbjorn · ‎2020-06-02

Thank you for the feedback.. We'll have to make a manual routine then.

cezar_varlan1 · ‎2022-12-12

I would make a movie of this process but it would hit the top 10 - how to waste time doing nothing useful charts.

When you define de LDAP server you need to first have an object defined. Then the object is selected from a drop-down list with no filter/search (think of a customer that has 20000 objects defined) and how you can choose just the starting letter. If the starting letter is for example naming convention for location and it is an A, how many scrolls is that?

Try to do this with countless Smart Console jams and blocks with maybe 5 min waiting time.

Then think of the customer having multiple geographies and 30+ AD Servers to add.

This takes me roughly 2 days to complete and hope that the Smart Console does not go "Not Responding" permanently.

cezar_varlan1 · ‎2022-12-12

Do try this, then please escalate and solve it. I will post the recording in a few days, it will be fun.

JozkoMrkvicka · ‎2022-12-12

I will name the relevant host object starting with "aaaaa", so it will be very first in the drop-down menu. Once selected and published, rename the "aaaaa" host object to your desired name based on naming convention.

Kind regards,
Jozko Mrkvicka

pmo · ‎2023-05-29

Hi Omer,

>it is in the future plans

Any news about this?

Is it possible in R81.10 or R81.20 API to create LDAP Account Units?

Timothy_Hall · ‎2023-05-30

Doesn't appear possible in the latest R81.20/v1.9 API, see my post here:

Functionality - Mgmt API vs. SmartConsole - Revisited for R81.20/v1.9

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

PhoneBoy · ‎2023-05-30

Not in R81.10 or R81.20.
I recommend engaging with your local Check Point office around this requirement.

Vincent_Bacher

In case anyone is interested:
Since the whole thing still hasn't been implemented, I did it all via psql_client and discovered in the process that you can also spit out the psql results nicely via json.

psql_client cpm postgres -t -c ‘SELECT json_agg(row_to_json(t)) FROM (SELECT name, objid as uid, domainid FROM dleobjectderef_data WHERE cpmitype = “ldap_au” AND dlesession = 0 AND NOT deleted) t;’ | jq .

If I could now send the whole thing to management with the run script, which either doesn't work or I haven't managed to do yet, then I would have a nice API workaround.

This works on multi-domain management. Due to a lack of standard management, I was unable to test it on such a system.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite

PhoneBoy

When I was looking at the new API calls supported by R82.10 and R82 JHF 41, I did see API support was added for creating LDAP Groups via the API.
This is not the same as creating the LDAP Account Units themselves, obviously, but it's a step in the right direction.

Given the last couple of maintrain releases (R82, R82.10) have added API support for a lot of legacy object types, the push to make SmartConsole Web usable by the vast majority of our customers for their day-to-day tasks, and LDAP Account Units are an important object type for on-premise Identity Awareness setups, I suspect we will have a formal API for LDAP AUs in a coming release.

Vincent_Bacher

Thank you for this update.

I don't need to create an au, displaying would be enough for now.
But I understand that this takes a long time, and my project also works with the json from psql_client retrieved via ssh.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite

PhoneBoy

Glad you found something workable, which of course could be wrapped in a run-script API call. 🙂

Are you a member of CheckMates?

API for LDAP Account units