Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Tho
Contributor
Jump to solution

Change Expiration Date Users

Hello, 

 

I would like to know how we can adjust the expiration date without going through all users one by one.

 

Thanks in advance. 

0 Kudos
1 Solution

Accepted Solutions
Tho
Contributor

Script is working now, this got the job done: 

#!/bin/bash
# script is checking and changing expiration date for all internal users in CP MGMT database
# usage: chmod 700 && ./script.sh

date=1704037500139 #setup checked date in ms epoch time - 2023-12-31 16:45
new_date="2026-01-31" #setup new desired date in ISO format

offset=0
echo "Checking expiration time of all users..."
echo -e "";
while true; do
users_list=$(mgmt_cli -r true show users offset $offset limit 50 --format json --port 4434 |jq '.objects[].name')
if [ "$users_list" = "[]" ]; then
break
fi
for user in $users_list; do
expiration=`mgmt_cli -r true show user name $user --format json --port 4434 |jq '."expiration-date".posix'`
echo User: $user, $expiration
echo ""

if [ $date \> $expiration ];
then
echo "$user will expire before 31.12.2023 23:55";
echo "Setting new expiration..."
echo ""
mgmt_cli -r true set user name $user expiration-date "$new_date" --format json --port 4434 > /dev/null
else
echo "$user will expire not before: `date -d @$( echo "($expiration + 500) / 1000" | bc)`";
fi;
done
offset=$((offset+50))
done

 

Thanks @PhoneBoy 

View solution in original post

0 Kudos
16 Replies
PhoneBoy
Admin
Admin
0 Kudos
Tho
Contributor

We will test it, thank you. 

0 Kudos
Tho
Contributor

Hello PhoneBoy, 

 

This is what I get back when we are running the script: 

jq: error: Cannot iterate over null
Logout failed
Checking expiration time of all users...

What am I doing wrong? 

0 Kudos
PhoneBoy
Admin
Admin

What version/JHF of management are you running?
I believe the script requires R80.40 with the latest recommended JHF or above.

0 Kudos
Tho
Contributor

We are running R81.10 take 335.

 

 

0 Kudos
Tho
Contributor

This is the script we are using: 

 

#!/bin/bash
# Created by tvobruba
# version 001
# script is checking and changing expiration date for all internal users in CP MGMT database
# usage: chmod 700 && ./script.sh

date=1609459162000 #setup checked date in ms epoch time - 2020-12-31 16:45
new_date="2036-01-31" #setup new desired date in ISO format

# export list of users to file
mgmt_cli -r true show users --format json |jq '.objects[].name' > list.txt


echo "Checking expiration time of all users..."
echo -e "";
for user in `cat ./list.txt`; do

expiration=`mgmt_cli -r true show user name $user --format json |jq '."expiration-date".posix'`
echo User: $user, $expiration
echo ""

if [ $date \> $expiration ];
then
echo "$user will expire before 31.12.2020 23:55";
echo "Setting new expiration..."
echo ""
mgmt_cli -r true set user name $user expiration-date "$new_date" --format json
else
echo "$user will expire not before: `date -d @$( echo "($expiration + 500) / 1000" | bc)`";
fi;

done

rm -f ./list.txt

 

0 Kudos
PhoneBoy
Admin
Admin

What does the following command show?

mgmt_cli -r true show users --format json

Note this script may not work as-is (especially if you have more than 500 users) and will require modifications to get you the desired result.

0 Kudos
Tho
Contributor

This is what the command shows:

{
"code" : "generic_error",
"message" : "Error 404. The Management API service is not available. Please check that the Management API server is up and running."
}

Logout failed

I already checked the API service is up and running. 

When I run the command 'api status' it shows me this info:

When running mgmt_cli commands add '--port 44 34'

We have close to 400 users at the moment. 

 

0 Kudos
Tho
Contributor

When I run the same command and I add --port 4434  at the end (mgmt_cli -r true show users --format json --port 4434) it shows me a bunch of users, so that works now. 

0 Kudos
PhoneBoy
Admin
Admin

If you've changed the default port, yes, you will have to modify the script accordingly as mgmt_cli assumes port 443 otherwise.

0 Kudos
Tho
Contributor

Ok, I modified the script a tiny bit:

#!/bin/bash
# Created by tvobruba
# version 001
# script is checking and changing expiration date for all internal users in CP MGMT database
# usage: chmod 700 && ./script.sh

date=1609459162000 #setup checked date in ms epoch time - 2020-12-31 16:45
new_date="2036-01-31" #setup new desired date in ISO format

# export list of users to file
mgmt_cli -r true show users --format json --port 4434 |jq '.objects[].name' > list.txt


echo "Checking expiration time of all users..."
echo -e "";
for user in `cat ./list.txt`; do

expiration=`mgmt_cli -r true show user name $user --format json --port 4434 |jq '."expiration-date".posix'`
echo User: $user, $expiration
echo ""

if [ $date \> $expiration ];
then
echo "$user will expire before 31.12.2020 23:55";
echo "Setting new expiration..."
echo ""
mgmt_cli -r true set user name $user expiration-date "$new_date" --format json
else
echo "$user will expire not before: `date -d @$( echo "($expiration + 500) / 1000" | bc)`";
fi;

done

rm -f ./list.txt

 

The script is now running and it's checking the expiration date of the users that start with letter a, b and c and then it stops. 

Example: 

"x" will expire not before: Sat Jan 31 00:00:00 CET 2026
User: "x", 1769814000000

"x" will expire not before: Sat Jan 31 00:00:00 CET 2026
User: "x", 1769814000000

"x" will expire not before: Sat Jan 31 00:00:00 CET 2026
User: "x", 1769814000000

"x" will expire not before: Sat Jan 31 00:00:00 CET 2026
User: "x", 1769814000000

"x" will expire not before: Sat Jan 31 00:00:00 CET 2026

We already changed the expiration date of some users to 31-1-2026 (manually). 

How to go from here? 

 

 

0 Kudos
PhoneBoy
Admin
Admin

I suspect you have more users than the result of "show users" will return on its own.
Which means you will need to make multiple calls to show users with the "offset" parameter to get all the users.
This exact issue was discussed here: https://community.checkpoint.com/t5/API-CLI-Discussion/Export-Users-with-Specific-Expiry-amp-and-Val... 

0 Kudos
Tho
Contributor

Script is working now, this got the job done: 

#!/bin/bash
# script is checking and changing expiration date for all internal users in CP MGMT database
# usage: chmod 700 && ./script.sh

date=1704037500139 #setup checked date in ms epoch time - 2023-12-31 16:45
new_date="2026-01-31" #setup new desired date in ISO format

offset=0
echo "Checking expiration time of all users..."
echo -e "";
while true; do
users_list=$(mgmt_cli -r true show users offset $offset limit 50 --format json --port 4434 |jq '.objects[].name')
if [ "$users_list" = "[]" ]; then
break
fi
for user in $users_list; do
expiration=`mgmt_cli -r true show user name $user --format json --port 4434 |jq '."expiration-date".posix'`
echo User: $user, $expiration
echo ""

if [ $date \> $expiration ];
then
echo "$user will expire before 31.12.2023 23:55";
echo "Setting new expiration..."
echo ""
mgmt_cli -r true set user name $user expiration-date "$new_date" --format json --port 4434 > /dev/null
else
echo "$user will expire not before: `date -d @$( echo "($expiration + 500) / 1000" | bc)`";
fi;
done
offset=$((offset+50))
done

 

Thanks @PhoneBoy 

0 Kudos
Hugo_vd_Kooij
Advisor

This is how I took care of it automatically:

 

# Validate API status, exit 101 if not running
APISTATUS=`api status|grep 'API Status'|awk '{print $4}'`
if [ "$APISTATUS" != "Started" ]; then
echo "API Server is not available but $APISTATUS"
exit 101
fi

# Get API port, set MMGMT CLI accordingly
APIPORT=`api status|grep "Gaia Port"|awk '{print $4}'`
MGMTCLI="mgmt_cli --port $APIPORT"  

 

So you can use the SMGMT_CLI command on every SmartCenter.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
Tho
Contributor

Thanks Hugo, will try this. 

0 Kudos
PhoneBoy
Admin
Admin

Clever!

0 Kudos