Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 13 replies
  • Answers 1 answer
  • Subscribers 40 subscribers
  • Views 5488 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

User removal via API not working

Ondřej Valentík

Hello,

I'm creating script for removal of inactive users from XG firewalls. I'm able to remove OTP tokens of the user, but can't remove user itself. It always returns error code 500 (Operation could not be performed on Entity.)

The strange thing is that it returns the same code even if I entered non-existing username instead of saying "Object doesn't exist". It looks like the request itself is wrong.

I can remove the account via GUI without any issues.

I'm using the following request:

<Request><Login><Username>admin</Username><Password>xxxxxxx</Password></Login><Remove><User transactionid=""><Username>test</Username></User></Remove></Request>

Here is the content of /log/apiparser.log

INFO Sep 06 09:24:36Z [32308]: Start Remove Handler,Component : User
ERROR Sep 06 09:24:36Z [32308]: Key:ISCrEntity is not found in RequestMap File for User.
INFO Sep 06 09:24:36Z [32308]: Mapping file for User component is /_conf/csc/IOMappingFiles//1900.1/identity/users.xml
WARNING Sep 06 09:24:36Z [32308]: Mapping element Mode is not needed now.
ERROR Sep 06 09:24:36Z [32308]: Flag setting for this opcode is 16.
INFO Sep 06 09:24:37Z [32308]: Opcode response: status:500
INFO Sep 06 09:24:37Z [32308]: End Remove Handler, Status : Success, Component : User, Transaction :

INFO Sep 06 09:24:37Z [32308]: Command:/scripts/apiparser_generate_tar.sh /sdisk/api-1662456275924800.txt /sdisk/API-1662456275924800/sdisk/APIXMLOutput/1662456275766.xml /sdisk/API-1662456275924800.tar /sdisk/API-1662456275924800.log 0 status:3
INFO Sep 06 09:24:37Z [32308]: No need to create Tar file. Response file is /sdisk/APIXMLOutput/1662456275766.xml

Has anybody here experience with user removal via API who could help me?

Thanks,

Ondrej



This thread was automatically locked due to age.
Parents Reply Children
  • +1 in reply to Vishal_R

    Hi, Ondřej Valentík I have tried the below API for user delete/remove in local LAB and it worked for me.

    reqxml=<Request><Login><Username>admin</Username><Password>XXXXXXX</Password></Login><Remove><User><Username>test1</Username><Name>test1</Name></User></Remove></Request>

    Output:

    <Response APIVersion="1800.2" IPS_CAT_VER="1">
    <Login>
    <status>Authentication Successful</status>
    </Login>
    <User transactionid="">
    <Status code="200">Configuration applied successfully.</Status>
    </User>
    </Response>

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Vishal_R

    Hi Vishal,

    thank you very much. When add <Name> tag into the request, I can delete the user now.

    Even if it doesn't make sense, because Name is not unique parameter, your colleagues from API team should at least mention it in documentation. At this time only Username is there (https://docs.sophos.com/nsg/sophos-firewall/19.0/API/CONFIGURE/Authentication/Users/operations/Delete User.html).

    Unfortunately, another problem appeared now. I'm able to remove local users, but not AD users. The operation quits successfully (with status code 200 - Configuration applied successfully.), but user remains in firewall. I have found that another user has had the same issue, but there was no solution and thread was already closed (https://community.sophos.com/sophos-xg-firewall/f/discussions/132461/api-to-delete-user).

    Can you please help me with this problem too?

    Many thanks,

    Ondrej

  • 0 in reply to Ondřej Valentík

    Hi Ondřej Valentík Let me arrange the setup with AD and try on the same again and will provide the update from my test.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Vishal_R

    Hi Vishal,

    have you been able to re-produce the issue with AD?

    Thank you,

    Ondrej

  • 0 in reply to Ondřej Valentík

    Hi Ondřej Valentík Unfortunately I didn't get a chance yet to reproduce it, I would suggest opening a support case on the same to have further progress if you are facing an issue with deleting an AD user with API and share the case ID with us.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

  • +1 in reply to Vishal_R

    Hi Ondřej Valentík Just now I have tried with AD user in my local LAB setup and user delete via API works fine for me.

    Please find the below snapshot and logs for reference.





    CSC Debug logs for reference:

    INFO Sep 20 13:14:26Z [delete_user:10557]: opcode 'delete_user': time taken: 0.121519984 seconds
    DEBUG Sep 20 13:14:26Z [worker:10557]: {"response":{"method":"opcode","name":"delete_user","version":"1.14","type":"text","length":93,"data":{ "deleteObjects": [ "vishal.r@sophos.creed" ], "status": "200", "statusmessage": "success" },"statusCode":200,"statusStrlen":2,"statusString":"OK"}}
    DEBUG Sep 20 13:14:26Z [worker:10557]: # OPCODE Exited: 'delete_user' with Status: '200'

    API stauts in Browser:

    <Response APIVersion="1805.2" IPS_CAT_VER="0">
    <Login>
    <status>Authentication Successful</status>
    </Login>
    <User transactionid="">
    <Status code="200">Configuration applied successfully.</Status>
    </User>
    </Response>

    So for your scenario still I would suggest opening a support case if there are any challenges to deleting AD users via API to have next investigation.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Vishal_R

    Hi Vishal,

    thank you. I will open the support case. 

    I get the same result like you, but when check the user again it still remains on the firewall.

    Can you please confirm that it is really not present on the firewall anymore.

    Ondrej

  • 0 in reply to Ondřej Valentík

    Hi  Ondřej Valentík, yes in the LAB device user was removed from the user tab in the UI section, I performed this operation for 2 different users and the result is fine both the time and AD users are not present there in the user section.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Vishal_R

    Hi Vishal, 

    OK. Thanks for confirmation. It must be really something specific to our environment.

    I will paste here result of the support case when it will be fixed. 

    Best regards, 

    Ondrej

  • +1 in reply to Vishal_R

    Hi Vishal,

     

    I have found the solution during preparation materials for support case. Let me summarize the real usage of User Remove API which is not described in documentation:

     

    1/ Tag <User> must contain parameter transactionid="" => <User transactionid="">. This I have found in another thread before I opened this thread.

    2/ Tag <Username> is ignored at all and is not needed in request even if it is mentioned in documentation as mandatory

    3/ Account username must be specified between tags <Name></Name> which is mandatory. The confusing point here is that <Name> doesn't contain the Name attribute of the user account, but Username attribute

     

    The reason why the tests were successful in your AD environment and for local users in my environment is that the name of the user and username were the same.

    In my AD environment the Name of the account is different than Username and that's why the request was not working for me.

    Another story is why the response is OK even if the user removal was not successful. It looks that the reponse just says that request was correct and accepted.

    The question is what is wrong? API documentation or API implementation? I will open support case to clarify it for future usage.

Unfiltered HTML