User removal via API not working

Hi Ondřej Valentík : Thanks for the detailed informative post, let me try it in my LAB setup and confirm on same to delete/remove the user via API.

Hi, Ondřej Valentík I have tried the below API for user delete/remove in local LAB and it worked for me.

reqxml=<Request><Login><Username>admin</Username><Password>XXXXXXX</Password></Login><Remove><User><Username>test1</Username><Name>test1</Name></User></Remove></Request>

Output:

<Response APIVersion="1800.2" IPS_CAT_VER="1">
<Login>
<status>Authentication Successful</status>
</Login>
<User transactionid="">
<Status code="200">Configuration applied successfully.</Status>
</User>
</Response>

Hi Vishal,

thank you very much. When add <Name> tag into the request, I can delete the user now.

Even if it doesn't make sense, because Name is not unique parameter, your colleagues from API team should at least mention it in documentation. At this time only Username is there (https://docs.sophos.com/nsg/sophos-firewall/19.0/API/CONFIGURE/Authentication/Users/operations/Delete User.html).

Unfortunately, another problem appeared now. I'm able to remove local users, but not AD users. The operation quits successfully (with status code 200 - Configuration applied successfully.), but user remains in firewall. I have found that another user has had the same issue, but there was no solution and thread was already closed (https://community.sophos.com/sophos-xg-firewall/f/discussions/132461/api-to-delete-user).

Can you please help me with this problem too?

Many thanks,

Ondrej

Hi Ondřej Valentík Let me arrange the setup with AD and try on the same again and will provide the update from my test.

Hi Vishal,

have you been able to re-produce the issue with AD?

Thank you,

Ondrej

Hi Ondřej Valentík Unfortunately I didn't get a chance yet to reproduce it, I would suggest opening a support case on the same to have further progress if you are facing an issue with deleting an AD user with API and share the case ID with us.

Hi Ondřej Valentík Just now I have tried with AD user in my local LAB setup and user delete via API works fine for me.

Please find the below snapshot and logs for reference.





CSC Debug logs for reference:

INFO Sep 20 13:14:26Z [delete_user:10557]: opcode 'delete_user': time taken: 0.121519984 seconds
DEBUG Sep 20 13:14:26Z [worker:10557]: {"response":{"method":"opcode","name":"delete_user","version":"1.14","type":"text","length":93,"data":{ "deleteObjects": [ "vishal.r@sophos.creed" ], "status": "200", "statusmessage": "success" },"statusCode":200,"statusStrlen":2,"statusString":"OK"}}
DEBUG Sep 20 13:14:26Z [worker:10557]: # OPCODE Exited: 'delete_user' with Status: '200'

API stauts in Browser:

<Response APIVersion="1805.2" IPS_CAT_VER="0">
<Login>
<status>Authentication Successful</status>
</Login>
<User transactionid="">
<Status code="200">Configuration applied successfully.</Status>
</User>
</Response>

So for your scenario still I would suggest opening a support case if there are any challenges to deleting AD users via API to have next investigation.

Hi Vishal,

thank you. I will open the support case. 

I get the same result like you, but when check the user again it still remains on the firewall.

Can you please confirm that it is really not present on the firewall anymore.

Ondrej

Hi  Ondřej Valentík, yes in the LAB device user was removed from the user tab in the UI section, I performed this operation for 2 different users and the result is fine both the time and AD users are not present there in the user section.

Hi  Ondřej Valentík, yes in the LAB device user was removed from the user tab in the UI section, I performed this operation for 2 different users and the result is fine both the time and AD users are not present there in the user section.

Hi Vishal, 

OK. Thanks for confirmation. It must be really something specific to our environment.

I will paste here result of the support case when it will be fixed. 

Best regards, 

Ondrej

Hi Vishal,

I have found the solution during preparation materials for support case. Let me summarize the real usage of User Remove API which is not described in documentation:

1/ Tag <User> must contain parameter transactionid="" => <User transactionid="">. This I have found in another thread before I opened this thread.

2/ Tag <Username> is ignored at all and is not needed in request even if it is mentioned in documentation as mandatory

3/ Account username must be specified between tags <Name></Name> which is mandatory. The confusing point here is that <Name> doesn't contain the Name attribute of the user account, but Username attribute

The reason why the tests were successful in your AD environment and for local users in my environment is that the name of the user and username were the same.

In my AD environment the Name of the account is different than Username and that's why the request was not working for me.

Another story is why the response is OK even if the user removal was not successful. It looks that the reponse just says that request was correct and accepted.

The question is what is wrong? API documentation or API implementation? I will open support case to clarify it for future usage.

Hi Ondřej Valentík I checked internally and found that the issue is not on the documentation side but on the API side. This will be fixed in V19.0.2 MR-2 and the reference ID is NC-88291