cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Ivo_Hrbacek
Nickel

users via API

Hi guys,
I would like to ask if there are some plans to include handling users via API in future releases (local account creation, certificate generation, etc.)? Now there is no such possibility via API and I think it could be very handy when migrating from different platforms

thx for info

Labels (1)
19 Replies
Employee++
Employee++

Re: users via API

Hi Ivo,

Yes, there are plans to support User objects via API.

Unfortunately, I cannot provide estimations for release version/date at this moment.

Robert.

Re: users via API

Hi

This is also a feature I would like. Is there any update on when it may be included?

thanks

Paul

0 Kudos
Employee++
Employee++

Re: users via API

Hi Paul,

Our R&D is working to provide full support for users creation with a standard API commands.

Meanwhile, you can use this thread to create users with a non-standard approach - 

https://community.checkpoint.com/docs/DOC-2844

Robert.

Re: users via API

Thanks Robert, appreciate the speedy response.

We have an audit requirement to send a list of  users that are contained within a specific user group monthly. It sounds like an easy request but so far I am failing.  I'm no API / JSON expert by the way.  Do you know if there's a simple way to do this?

0 Kudos
Employee++
Employee++

Re: users via API

This bash script expects an users group name as its parameter, and creates a text file with this name containing all users names - 

#!/bin/sh

JQ=${CPDIR}/jq/jq

GROUP_NAME=$1
USERS_FILE="users.json"
USER_FILE="user.json"
USER_NAMES_FILE="$GROUP_NAME.txt"

> $USER_NAMES_FILE

mgmt_cli -r true show generic-objects name $GROUP_NAME details-level full -f json > $USERS_FILE
if [ $? -ne 1 ]; then
  USERS_UIDS=($($JQ -r '.objects[] | .emptyFieldName[] | .' $USERS_FILE))
  for USER_UID in ${USERS_UIDS[@]}; do
    echo 'User UID: '"$USER_UID"
     mgmt_cli -r true show generic-object uid $USER_UID -f json > $USER_FILE
     if [ $? -ne 1 ]; then
       USER_NAME=($($JQ -r '.name' $USER_FILE))
       echo 'User Name: '"$USER_NAME"
       echo $USER_NAME >> $USER_NAMES_FILE
     fi
  done
fi

you should run it on your management server.

Robert.

Re: users via API

Thanks again Robert

I took the script. Copied it onto my Mgt Server (/home/admin). Renamed it as Users_in_group.sh  .  Did a chmod to allow for execution (777).

In expert mode ran as "./Users_in_group.sh  Our-Group-name-var"

And got "/Users_in_group: cannot execute binary file" error message.

Excuse my lack of knowledge here but am I doing something wrong?

0 Kudos
Employee++
Employee++

Re: users via API

run dos2unix on it before the execution.

Re: users via API

Apologies Robert - I was offsite the least week.  I tried it there and it's working for me a treat. Thanks so much for your help.

Paul

Re: users via API

One more thing Robert - It runs fine from the command line as admin.  When I try to schedule the command via job scheduler on GAIA www GUI it gives me the following errors.

Any ideas?  It's the same user running the same command in both cases.  Maybe it's shell related?

The scheduled job is to run this command (your script is called Usergplist.sh)

 ./Usergplist.sh treas_users

The job fails with the following output:

./Usergplist.sh: line 12: mgmt_cli: command not found

./Usergplist.sh: line 14: /jq/jq: No such file or directory

0 Kudos
Employee++
Employee++

Re: users via API

did you apply the chmod 777 on the script?

0 Kudos

Re: users via API

Hi Robert

Yes I did. The script works fine directly from SSH command line. It only fails, as above, via job scheduler on Web Interface.

The job scheduler command syntax is also exactly the same via SSH command line and Web interface.

Any ideas?

0 Kudos
Employee++
Employee++

Re: users via API

Hi Paul,

I've no idea how the job scheduler works.

Maybe Dameon Welch Abernathy‌ can assist here.

Robert.

Admin
Admin

Re: users via API

That's because certain environment variables aren't set when you run via cron/job scheduler that ARE set when run from the CLI.

From the above:

  1. mgmt_cli isn't in the command execution path (replace with /opt/CPshrd-R80/bin/mgmt_cli)
  2. $CPDIR isn't defined (replace with /opt/CPshrd-R80)

Re: users via API

Thanks Dameon  & Robert Decker

I have now modified the script as below but am now getting a different error. I don't even see how this shared library is being called by the script. Reckon this is hopefully the last hurdle!

Just to confirm, the script still runs fine from CLI.

Error from Job scheduler:

/opt/CPshrd-R80/bin/mgmt_cli: error while loading shared libraries: libmgmt_cli_utils.so: cannot open shared object file: No such file or directory

Adjusted script:

#!/bin/sh

 

JQ=/opt/CPshrd-R80/jq/jq

 

GROUP_NAME=$1

USERS_FILE="users.json"

USER_FILE="user.json"

USER_NAMES_FILE="$GROUP_NAME.txt"

 

> $USER_NAMES_FILE

 

/opt/CPshrd-R80/bin/mgmt_cli -r true show generic-objects name $GROUP_NAME details-level full -f json > $USERS_FILE

if [ $? -ne 1 ]; then

USERS_UIDS=($($JQ -r '.objects[] | .emptyFieldName[] | .' $USERS_FILE))

for USER_UID in ${USERS_UIDS[@]}; do

echo 'User UID: '"$USER_UID"

/opt/CPshrd-R80/bin/mgmt_cli -r true show generic-object uid $USER_UID -f json > $USER_FILE

if [ $? -ne 1 ]; then

USER_NAME=($($JQ -r '.name' $USER_FILE))

echo 'User Name: '"$USER_NAME"

echo $USER_NAME >> $USER_NAMES_FILE

fi

done

fi

0 Kudos
Employee++
Employee++

Re: users via API

Hi Paul,

The libmgmt_cli_utils.so library is used internally by mgmt_cli tool.

It is located in - "/opt/CPshrd-R80/lib" folder. You have to reference this folder too in your command execution path.

Robert.

0 Kudos

Re: users via API

Hi Robert

I have played around with this for a while with no luck.

Is this what you mean below?  I doubt it...  it doesn't look right to me and I'm a complete novice.  If so - it's still failing with the same error.

Sorry about this - how should the "/opt/CPshrd-R80/lib/" be included in the command execution path?

Thanks again

#!/bin/sh

 

JQ=/opt/CPshrd-R80/jq/jq

 

GROUP_NAME=$1

USERS_FILE="users.json"

USER_FILE="user.json"

USER_NAMES_FILE="$GROUP_NAME.txt"

 

> $USER_NAMES_FILE

 

/opt/CPshrd-R80/bin/mgmt_cli -r true show /opt/CPshrd-R80/lib/generic-objects name $GROUP_NAME details-level full -f json > $USERS_FILE

if [ $? -ne 1 ]; then

USERS_UIDS=($($JQ -r '.objects[] | .emptyFieldName[] | .' $USERS_FILE))

for USER_UID in ${USERS_UIDS[@]}; do

echo 'User UID: '"$USER_UID"

/opt/CPshrd-R80/bin/mgmt_cli -r true show /opt/CPshrd-R80/lib/generic-object uid $USER_UID -f json > $USER_FILE

if [ $? -ne 1 ]; then

USER_NAME=($($JQ -r '.name' $USER_FILE))

echo 'User Name: '"$USER_NAME"

echo $USER_NAME >> $USER_NAMES_FILE

fi

done

fi

0 Kudos
Admin
Admin

Re: users via API

In your script, include the following line before any commands are executed:

source /opt/CPshrd-R80/tmp/.CPprofile.sh

This should set all the necessary variables.

(Note this may need to be changed after major upgrades)

Then you can do the mgmt_cli commands without paths (e.g. mgmt_cli -r true show generic-objects name $GROUP_NAME details-level full -f json > $USERS_FILE)

Re: users via API

Thanks Dameon - that's a very useful command. All working now.  Thanks for all you help ( & Robert too).

Paul

Re: users via API

Thank you for this! I hit the same well getting a script to run & found this point. Problem solved!