Symantec IGA

Expand all | Collapse all

Execute an etautil command by Policy Xpress

Jump to Best Answer
  • 1.  Execute an etautil command by Policy Xpress

    Posted 07-20-2021 11:25 AM
    I already read some topics in the community that say it's possible. But nothing is working for me.

    I've the syntax to my etautil, it's something like this:
    etautil -u <username> -p <password> delete 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser GlobalUserName='[Default User]'.
    A simple code that just delete the Default User from Provisioning Server.

    The form that I'm trying to do that is adding an action in the PX and "External code" > "Execute command line" > "Execute command line" > Command.

    When I tried execute some command or a shell script file (.sh) the action stays "In Progress" and never ends or I receive errors:

    In the prints there is how to see my attempts to pass the command line.

    I read some topics like:
    https://community.broadcom.com/communities/community-home/digestviewer/viewthread?MID=817844
    https://community.broadcom.com/communities/community-home/digestviewer/viewthread?MID=821197
    https://knowledge.broadcom.com/external/article/10156/how-to-run-external-code-using-policy-xp.html


  • 2.  RE: Execute an etautil command by Policy Xpress

    Broadcom Employee
    Posted 07-21-2021 02:22 PM
    The permission denied is because, with vApp, you cannot execute etautil via PX, only imps user or group can access to the imps bin directory and execute it However, openldap-clients package is installed which means that you could use ldapdelete instead. The equivalent command to delete the [Default User] would be:

    ldapdelete -x -H LDAP://localhost:20389 -D "eTGlobalUserName=etaadmin,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta" -w apassword "eTGlobalUserName=[Default User],eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta"

    to avoid providing the password in the command, you can use -y filename argument and put your password in filename

    ------------------------------
    Advisor
    Symantec Enterprise Division, Broadcom
    ------------------------------



  • 3.  RE: Execute an etautil command by Policy Xpress

    Posted 07-21-2021 05:35 PM
    Edited by Igor Morais 07-22-2021 09:01 AM

    Hi, Joffrey
    Thanks for the reply

    I can use this solution, it even worked on the terminal with config user, but when I tried run the code with the Policy Xpress I receive this error:

    Failed to execute ExecuteCommandLineEvent. ERROR MESSAGE: IOException:Cannot run program "ldapdelete -x -H LDAP://localhost:20389 -D "eTGlobalUserName=etaadmin,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta" -w password "eTGlobalUserName=[Default User],eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta"": error=2, No such file or directory

    I imagine that I need to insert the full path of the openldap-client.
    Like in others threads about execute etautil that say to pass the command with something like this:
    "/opt/CA/Identity Manager/Provisioning Server/bin/etautil"




  • 4.  RE: Execute an etautil command by Policy Xpress

    Broadcom Employee
    Posted 07-22-2021 08:37 AM
    Hi Igor,

    I suspect you have put the full command in the Command field in your PX, the Command should only contain the ldapdelete then create a parameter for every argument of the command. However, I think the best approach for you is to follow https://knowledge.broadcom.com/external/article/10156/how-to-run-external-code-using-policy-xp.html and put the ldapdelete command into the script. Doing like this, the Command field in the PX should be the name of the script (full path as the command will be run as wildfly user, not config)

    HTH


    ------------------------------
    Advisor
    Symantec Enterprise Division, Broadcom
    ------------------------------



  • 5.  RE: Execute an etautil command by Policy Xpress

    Posted 07-22-2021 04:34 PM
    There is another configuration that I need to do?

    I've tried in the both ways, with a bash file and using the parameters box in the Policy Xpress, this time I don't get any error or something like that... Apparently the command is executed but nothing happens, the global user is not deleted.


  • 6.  RE: Execute an etautil command by Policy Xpress
    Best Answer

    Broadcom Employee
    Posted 07-23-2021 05:09 AM

    Hi Igor,

     

    Nothing special, i just made a test and it  works fine. Below my config (not sure if the screen shots will be preserved, if not, i only defined the PX, external code, execute Command line, command = /home/confg/scripts/1.sh (no parameter defined)

     

     

    config@:~ > cat scripts/1.sh

    #!/usr/bin/bash

    {

    ldapdelete -v -x -H LDAP://localhost:20389 -D "eTGlobalUserName=etaadmin,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta" -y /tmp/.pwd "eTGlobalUserName=[Default User],eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta"

    } >/tmp/1.log 2>&1

     

     

    config@:~ > su - imps -c "etautil -u etaadmin -y /tmp/.pwd select 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser GlobalUserName='[Default User]' list eTUserid"

        name = eTGlobalUserName=[default user],eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im

        eTUserid = [Default User]

        objectClass = eTGlobalUser

    :ETA_I_1336, ETAUTIL command completed  Fri Jul 23 10:46:15 2021

     

    à run a task that triggers the PX :

     

    And verified that the command was executed and the GU deleted:

     

    config@:~ > cat /tmp/1.log

    ldap_initialize( ldap://localhost:20389/??base )

    Warning: Password file /tmp/.pwd is publicly readable/writeable

    deleting entry "eTGlobalUserName=[Default User],eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta"

    Delete Result: Success (0)

    Additional info: :ETA_S_0009<DGU>, Global User '[Default User]' deleted successfully

     

    config@:~ > su - imps -c "etautil -u etaadmin -y /tmp/.pwd select 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser GlobalUserName='[Default User]' list eTUserid"

    :ETA_E_1337, ETAUTIL command failed  Fri Jul 23 10:50:49 2021

     

    The GU has been deleted successfully. If you have a similar config and it still doesn't work then it's time to open a case with our support

     

     

     

     

     


    This electronic communication and the information and any files transmitted with it, or attached to it, are confidential and are intended solely for the use of the individual or entity to whom it is addressed and may contain information that is confidential, legally privileged, protected by privacy laws, or otherwise restricted from disclosure to anyone else. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, you are hereby notified that any use, copying, distributing, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited. If you received this e-mail in error, please return the e-mail to the sender, delete it from your computer, and destroy any printed copy of it.