'get-groups-by-domain.py' Source Code
#!/usr/bin/env python
###########################################################################
# #
# This script demonstrates how to use the ISE ERS Active Directory #
# API by executing a Python script. #
# #
# SECURITY WARNING - DO NOT USE THIS SCRIPT IN PRODUCTION! #
# The script allows connections to SSL sites without trusting #
# the server certificates. #
# For production, it is required to add certificate check. #
# #
# Usage: get-groups-by-domain.py <ISE host> <ERS user> <ERS password> #
# <join point ID> <domain> <group name filter> <group SID filter> #
# <group type filter> #
###########################################################################
import http.client
import base64
import ssl
import sys
# params
join_point_id = sys.argv[4] # "4ed8aa40-b6ef-11e6-8c86-0242d54b863b"
domain = sys.argv[5] # "R1.dom"
filter = sys.argv[6] # "Administrators" # filter by exact CN. Asterik (*) denotes no filter
sidFilter = sys.argv[7] # "S-1-5-32-544" # filter by exact SID. The domain can be specified as prefix. Asterik (*) denodes no filter
typeFilter = sys.argv[8] # "DOMAIN LOCAL" # can be exactly one of: BUILTIN, DOMAIN LOCAL, GLOBAL, UNIVERSAL. Asterik (*) denotes no filter
# host and authentication credentials
host = sys.argv[1] # "10.20.30.40"
user = sys.argv[2] # "ersad"
password = sys.argv[3] # "Password1"
conn = http.client.HTTPSConnection("{}:9060".format(host), context=ssl.SSLContext(ssl.PROTOCOL_TLSv1))
creds = str.encode(':'.join((user, password)))
encodedAuth = bytes.decode(base64.b64encode(creds))
req_body_json = """ {{
"OperationAdditionalData" : {{
"additionalData" : [ {{
"name" : "domain",
"value" : "{}"
}},
{{
"name" : "filter",
"value" : "{}"
}},
{{
"name" : "sidFilter",
"value" : "{}"
}},
{{
"name" : "typeFilter",
"value" : "{}"
}}
] }}
}}
""".format(domain, filter, sidFilter, typeFilter)
headers = {
'accept': "application/json",
'authorization': " ".join(("Basic",encodedAuth)),
'content-type': "application/json; charset=utf-8",
'cache-control': "no-cache",
}
conn.request("PUT", "/ers/config/activedirectory/{}/getGroupsByDomain".format(join_point_id), headers=headers, body=req_body_json)
res = conn.getresponse()
data = res.read()
print("Status: {}".format(res.status))
print("Header:\n{}".format(res.headers))
print("Body:\n{}".format(data.decode("utf-8")))
Execution
python get-groups-by-domain.py 10.20.30.40 ersad Password1 4ed8aa40-b6ef-11e6-8c86-0242d54b863b R1.dom Administrators S-1-5-32-544 "DOMAIN LOCAL"
Status: 200 (OK)
Header:
Cache-Control: no-cache, no-store, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONIDSSO=912B0BEE06924A715C7562E7BFA77A0E; Path=/; Secure; HttpOnly
Set-Cookie: APPSESSIONID=CB0636BEF31B0F4FAD4D9E5759155C8E; Path=/ers; Secure; HttpOnly
Pragma: no-cache
Date: Thu, 01 Dec 2016 18:29:17 GMT
Content-Type: application/json;charset=utf-8
Content-Length: 191
Server:
Body:
{
"ERSActiveDirectoryGroups" : {
"groups" : [ {
"name" : "R1.dom/Builtin/Administrators",
"sid" : "R1.dom/S-1-5-32-544",
"type" : "BUILTIN, DOMAIN LOCAL"
} ]
}
}