• State Not Answered
  • Replies 5 replies
  • Subscribers 62 subscribers
  • Views 437 views
  • Users 0 members are here
Options
Related

Java Developer wants to programmatically manage group membership list

mpemba
1 month ago

A developer has asked for a service account that can update the membership list of a few groups. 

I would normally give the service account a role or add it as a manager or secondary owner who can update the membership list. Then have the developer install the management shell and show them how to connect to ARS and use the quest cmdlets to perform the operation. This is a JAVA app that is running on Linux so he can't install the management shell or the ADSI Provider. 

Is there some other way that I could accommodate this request?

  • 0 1 month ago in reply to Stu.Pollock

    Hi Stu,

    Thank you for pointing me in the right direction. I have been trying a few things since your message.


    I installed the SPML provider and I was able to create a computer object using this:

    $cred = get-credential
    $body = @"
    <?xml version="1.0" encoding="utf-8"?>
    <soap12:Envelope xmlns:xsi="">www.w3.org/.../XMLSchema-instance" xmlns:xsd="">www.w3.org/.../XMLSchema" xmlns:soap12="">www.w3.org/.../soap-envelope">
    <soap12:Body>
    <addRequest xmlns="urn:oasis:names:tc:SPML:2:0" returnData="everything">
    <psoID ID="CN=testcreate,OU=TEST,OU=TEST,OU=TEST,DC=test,DC=test,DC=test"/>
    <data>
    <attr name="objectClass" xmlns="urn:oasis:names:tc:DSML:2:0:core">
    <value>computer</value>
    </attr>
    <attr name="samAccountName" xmlns="urn:oasis:names:tc:DSML:2:0:core">
    <value>TESTCreate$</value>
    </attr>
    <attr name="description" xmlns="urn:oasis:names:tc:DSML:2:0:core">
    <value>My test computer</value>
    </attr>
    </data>
    </addRequest>
    </soap12:Body>
    </soap12:Envelope>
    "@

    Invoke-RestMethod -Uri 'servername/.../SPMLProvider.asmx' -Credential $cred -Body $body -Method Post -ContentType 'application/soap+xml; charset=utf-8'



    I'm trying to add a user to a group with this:


    $cred = get-credential
    $body = @"
    <?xml version="1.0" encoding="utf-8"?>
    <soap12:Envelope xmlns:xsi="">www.w3.org/.../XMLSchema-instance" xmlns:xsd="">www.w3.org/.../XMLSchema" xmlns:soap12="">www.w3.org/.../soap-envelope">
    <soap12:Body>
    <modifyRequest xmlns="urn:oasis:names:tc:SPML:2:0" returnData="everything">
    <psoID ID="CN=TESTSPML,OU=TEST,DC=TEST,DC=TEST,DC=TEST"/>
    <data>
    <attr name="member" xmlns="urn:oasis:names:tc:DSML:2:0:core">
    <value>CN=Smith\, John (TEST),OU=TEST,OU=TEST,OU=TEST,DC=TEST,DC=TEST,DC=TEST</value>
    </attr>
    </data>
    </modifyRequest>
    </soap12:Body>
    </soap12:Envelope>
    "@

    Invoke-RestMethod -Uri 'servername/.../SPMLProvider.asmx' -Credential $cred -Body $body -Method Post -ContentType 'application/soap+xml; charset=utf-8'



    But it's not working. 

    The notes in the manual are:

    The request message includes the following XML elements:

    The <soap:Envelope> and <soap:Body> SOAP elements enclose the SPML payload.

    The <modifyRequest> element asks SPML Provider to make changes to a specified object.

    The <psoID> element specifies the distinguished name of the group object to be modified.

    The <modification> element specifies the type of change as add, causing the new values to be appended to the existing attribute values.

    The <data> element encloses the elements that specify the distinguished name of the user account to be appended to the existing values of the member attribute.

    There is this one example about removing a user from a group and I tried swapping the modificationMode "delete" for an add, but no luck there either.

    <?xml version="1.0"?>
<soap:Envelope xmlns:xsi="">www.w3.org/.../XMLSchema-instance" xmlns:xsd="">www.w3.org/.../XMLSchema" xmlns:soap="">schemas.xmlsoap.org/.../">
<soap:Body>
<modifyRequest xmlns="urn:oasis:names:tc:SPML:2:0" returnData="everything">
<psoID ID="CN=Sales,OU=SPML2,DC=Mycompany,DC=com"/>
<modification modificationMode="delete">
<data>
<attr name="member" xmlns="urn:oasis:names:tc:DSML:2:0:core">
<value>CN=Robert Smith,OU=Staff,DC=MyCompany,DC=com</value>
</attr>
</data>
</modification>
</modifyRequest>
</soap:Body>
</soap:Envelope>
  • 0 1 month ago in reply to Stu.Pollock

    I've been trying to reply. Seems like the spam filter has got me. 

  • 0 1 month ago in reply to Stu.Pollock

    I feel like this must be close. 

    $cred = get-credential
$body = @"
<?xml version="1.0" encoding="utf-8"?>
<soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope">
<soap12:Body>
<modifyRequest xmlns="urn:oasis:names:tc:SPML:2:0" returnData="everything">
<psoID ID="CN=TESTSPML,OU=TEST,DC=TEST,DC=TEST,DC=TEST"/>
<modification modificationMode="add">
<data>       
<attr name="member" xmlns="urn:oasis:names:tc:DSML:2:0:core">
<value>CN=Smith\, John (TEST),OU=Users,OU=TEST,OU=TEST,DC=TEST,DC=ny,DC=TEST</value>
</attr>
</data>
</modification>
</modifyRequest>
</soap12:Body>
</soap12:Envelope>
"@
 
$response = Invoke-RestMethod -Uri 'http://servername/ARServerSPML/SPMLProvider.asmx' -Credential $cred -Body $body -Method Post -ContentType 'application/soap+xml; charset=utf-8'

  • 0 1 month ago in reply to mpemba

    This isn't it either. 

    <?xml version="1.0" encoding="utf-8"?>
<soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope">
  <soap12:Body>
    <modifyRequest xmlns="urn:oasis:names:tc:SPML:2:0">
     <psoID ID="CN=TESTSPML,OU=TEST,DC=TEST,DC=TEST,DC=TEST"/>
      <modification>
        <modification operation="add" xmlns="urn:oasis:names:tc:DSML:2:0:core" />
        <data>       
           <attr name="member" xmlns="urn:oasis:names:tc:DSML:2:0:core">
             <value>"CN=Smith\, John (TEST),OU=Users,OU=TEST,OU=TEST,DC=TEST,DC=TEST,DC=TEST"</value>
           </attr>
        </data>
      </modification>
    </modifyRequest>
  </soap12:Body>
</soap12:Envelope>