Closed SOS-DK closed 1 year ago
pspete
commented
1 year ago Hi @SOS-DK
According to the documentation you provide the link to, source is not listed as a "body" parameter which can be included in a request to create a new user.
Can you elaborate on what you are trying to achieve?
SOS-DK
commented
1 year ago Hi Pete, and thanks for taking the time to reply back.
In short, I am trying to create a user via psPAS, that triggers the appropriate Directory Mapping and thereby inherits the user template from that Directory Mapping.
Long answer :-) Our standard is, that anyone that is allowed via an AD group to login to CyberArk will get their own personal safe. Today permissions to that safe is assigned directly to the user, so once our script picks up a new user, we generate a shadow user via PoSHPACLI: Add-PVExternalUser -destUser $new_user -ldapDirectory $UserSync_LDAPDirectory -UpdateIfExists Without having checked the inner workings, this command triggers the Directory Mapping for user creation:
PS D:\Scripts> Get-PASUser -username @. -ExtendedDetails $True id : 1111 username : @. source : LDAP userType : EPVUser componentUser : False userDN : CN=ABCD,DC=shortdom,DC=domain,DC=net vaultAuthorization : {} location : \Customers\folder personalDetails : @{firstName=First; middleName=; lastName=Last; organization=Company; department=1234 Security} enableUser : True suspended : False
So the Directory Mappings takes care of location, Usertype, Authorized interfaces and the authenticationMethod which is AuthTypeRADIUS
Then the script creates a safe for the user and assign the user to it.
I am now converting all the old scripts I have inherited to psPAS, but this specific task is causing me a bit of headache. If I try to solve this with psPAS: New-PASUser -Username $new_user -authenticationMethod AuthTypeRADIUS (I need to give it AuthTypeRADIUS parameter as it defaults to AuthTypePass) I get:
enableUser : True changePassOnNextLogon : True lastSuccessfulLoginDate : 1661283754 unAuthorizedInterfaces : {} authenticationMethod : {AuthTypeRadius} passwordNeverExpires : False distinguishedName : username : @.*** source : CyberArk userType : EPVUser componentUser : False location : \
Source is not LDAP, and it doesnt get picked up by the Directory Mapping. This could be me just not understanding something here, or what we did is just not possible without PACLI. I tried to play with several of the psPAS parameters, but no luck.
When I noticed the difference in source between users created with PoSHPACLI and psPAS, and figured it made sense as the Directory Mapping is found via the shortdomain name. I read the REST API manual as if source was a supported parameter, and saw that it was not in psPAS.
Let me know if it makes sense.
I am looking at ways of dealing with this without having to assign the user directly to the personal safe, but instead use a personal AD group per user for this, which will disconnect all access to safes from shadow users.
/Morten Seeberg dk.linkedin.com/in/mortenseeberg/
-
On Mon, 22 Aug 2022 at 18:01, Pete Maan @.***> wrote:
Hi @SOS-DK https://github.com/SOS-DK
According to the documentation you provide the link to, source is not listed as a "body" parameter which can be included in a request to create a new user.
Can you elaborate on what you are trying to achieve?
— Reply to this email directly, view it on GitHub https://github.com/pspete/psPAS/issues/415#issuecomment-1222561562, or unsubscribe https://github.com/notifications/unsubscribe-auth/ANTYWCS4NEJAOHN3SXVJUFLV2OP3ZANCNFSM57FN3EKA . You are receiving this because you were mentioned.Message ID: @.***>
pspete
commented
1 year ago Luckily, it is less complex using the API/psPAS.
just like when performing the task via pvwa, create the safe, then add the safe member.
Use the searchin parameter of add-passafemember to specify the directory in which to find the user: https://pspas.pspete.dev/commands/Add-PASSafeMember#-searchin
The user object should be created/present in the vault location hierarchy once this task completes.
pspete
commented
1 year ago Closing as believe the issue has been answered. If not the case, add a comment 😄
SOS-DK
commented
1 year ago Hi Pete, so sorry i missed your reply somehow and never got back to you. Your subsequent mails about the issue ended up in the same thread. Not until I got back to this issue did search it out :-)
You are right that what you suggest works in PVWA, it creates the user via Directory Mapping just by adding the user to a safe.
But apparently not via REST: PS E:> add-passafemember -safename "TEST_SAFE" -MemberName "xmsq" -Searchin "domain.local" -CreateFolders $True Invoke-PASRestMethod : [400] Failed to find user [xmsq] in ldap mapping [domain.local]. At line:276 char:13
+ CategoryInfo : NotSpecified:
({"ErrorCode":"S...ocorp.local]."}:ErrorRecord) [Invoke-PASRestMethod],
Exception
+ FullyQualifiedErrorId : SFWS0014,Invoke-PASRestMethod/Morten Seeberg dk.linkedin.com/in/mortenseeberg/
-
On Tue, 23 Aug 2022 at 22:53, Pete Maan @.***> wrote:
Luckily, it is less complex using the API/psPAS.
just like when performing the task via pvwa, create the safe, then add the safe member. Use the searchin parameter of add-passafemember to specify the directory in which to find the user: https// pspas.pspete.dev/commands/Add-PASSafeMember#-searchin
The user object should be created/present in the vault location hierarchy once this task completes.
— Reply to this email directly, view it on GitHub https://github.com/pspete/psPAS/issues/415#issuecomment-1224874695, or unsubscribe https://github.com/notifications/unsubscribe-auth/ANTYWCSJY62EKDVNR6VSNQDV2U23RANCNFSM57FN3EKA . You are receiving this because you were mentioned.Message ID: @.***>
SOS-DK
commented
1 year ago Hmm, taking that back, seems there is something conflicted in my test-system. It works now.
/Morten Seeberg dk.linkedin.com/in/mortenseeberg/
-
On Fri, 11 Nov 2022 at 22:41, Morten Seeberg @.***> wrote:
Hi Pete, so sorry i missed your reply somehow and never got back to you. Your subsequent mails about the issue ended up in the same thread. Not until I got back to this issue did search it out :-)
You are right that what you suggest works in PVWA, it creates the user via Directory Mapping just by adding the user to a safe.
But apparently not via REST: PS E:> add-passafemember -safename "TEST_SAFE" -MemberName "xmsq" -Searchin "domain.local" -CreateFolders $True Invoke-PASRestMethod : [400] Failed to find user [xmsq] in ldap mapping [domain.local]. At line:276 char:13
- ... $result = Invoke-PASRestMethod -Uri $URI -Method POST -Body $Body
- ...
+ CategoryInfo : NotSpecified: ({"ErrorCode":"S...ocorp.local]."}:ErrorRecord) [Invoke-PASRestMethod], Exception + FullyQualifiedErrorId : SFWS0014,Invoke-PASRestMethod/Morten Seeberg dk.linkedin.com/in/mortenseeberg/
-
On Tue, 23 Aug 2022 at 22:53, Pete Maan @.***> wrote:
Luckily, it is less complex using the API/psPAS.
just like when performing the task via pvwa, create the safe, then add the safe member. Use the searchin parameter of add-passafemember to specify the directory in which to find the user: https// pspas.pspete.dev/commands/Add-PASSafeMember#-searchin
The user object should be created/present in the vault location hierarchy once this task completes.
— Reply to this email directly, view it on GitHub https://github.com/pspete/psPAS/issues/415#issuecomment-1224874695, or unsubscribe https://github.com/notifications/unsubscribe-auth/ANTYWCSJY62EKDVNR6VSNQDV2U23RANCNFSM57FN3EKA . You are receiving this because you were mentioned.Message ID: @.***>
Is your feature request related to a problem? Please describe. I want to create a PAS transparent user via the Directory Mapping for my LDAP directory. But I cannot set "source=LDAP" as documented in the REST API here: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/SDK/API-AddUser-v10.htm
New-PASUser does not seem to have this option.
Describe the solution you'd like Implement source in psPAS :-)
Describe alternatives you've considered Adjust New-PASUser myself (although I do not have it working yet due to some syntax issue when creating the user).
Additional context Add any other context or screenshots about the feature request here.