Enabling Account via SOAP changes MFA options

Laurie Street

• October 24, 2019 00:09

I am trying to change the status (isDisabled) of a Cerberus Account via SOAP and the MFA options are being changed despite not actually touching those settings in the SOAP actions. Here is what I am doing:

 

            $GetUserInformationRequest = New-Object -TypeName CerberusFTPService.GetUserInformationRequest

            

            $GetUserInformationRequest.credentials = $CerberusCredentials

            $GetUserInformationRequest.userName = $singleUser

            $UserInfo = $CerberusFtpSvc.GetUserInformation($GetUserInformationRequest) | Select-Object -ExpandProperty Userinformation

            $AddUserRequest = New-Object -TypeName CerberusFTPService.AddUserRequest

            $AddUserRequest.credentials = $CerberusCredentials

 

                        $UserInfo.isDisabled = New-Object -TypeName CerberusFTPService.UserPropertyBool

                        $UserInfo.isDisabled.value = $False

                        $UserInfo.isDisabled.valueSpecified = $False

                        $Result = "Enabled"

 

                    $MultiFactorAuthSettings = New-Object -TypeName CerberusFTPService.MultiFactorAuthenticationSettings

                    

                    $MultiFactorAuthSettings.allowed = $True

                    $MultiFactorAuthSettings.allowedSpecified = $True

                    $MultiFactorAuthSettings.required = $True

                    $MultiFactorAuthSettings.requiredSpecified = $True

                    $MultiFactorAuthSettings.requiredSSH = $False

                    $MultiFactorAuthSettings.requiredSSHSpecified = $False

                    $MultiFactorAuthSettings.requiredFTP = $False

                    $MultiFactorAuthSettings.requiredFTPSpecified = $False

                    $UserInfo.authMethod.mfaOptions = $MultiFactorAuthSettings

                    $AddUserRequest.User = $UserInfo

 

                    $Response = $CerberusFtpSvc.AddUser($AddUserRequest)

 

        if ($Response.result -eq 'True') {

            "Cerberus Native User $User Successfully $Result"

        }

        else {

            Write-Error "Error Modifying $User"

            $Response

        }

 

The $MultiFactorAuthSettings specified above are the settings I am trying to preserve, or leave untouched. Even without specifying the $MultiFactorAuthSettings = New-Object -TypeName CerberusFTPService.MultiFactorAuthenticationSettings It sets all the MFA options to True (i.e. enabled). 

 

Essentially doing the above seems to set everything in MFA to True.

No other settings appear to change.

The settings of the group the user belongs to are set as above (allowed / required = True. SSH / FTP = False), so it cannot be using those settings when it modifies the user.

 

Setting the user options to NOT Override Group, and set the Group settings for MFA how I want it also does not stop the SOAP changes from switching them all back to enabled/true.

 

Thoughts? Possible SOAP Bug?

0

• Official comment

  

  Permanently deleted user

  Development

  • October 24, 2019 16:11
  • Edited

  Hi Laurie,

  Yes, this behavior does feel a bit strange.

  While translating the 'MultiFactorAuthenticationSettings' object, Cerberus checks whether 'requiredSSH' and 'requiredFTP' property values are present in the request. If they are not, their values are set to the 'MultiFactorAuthenticationSettings.required' value. I suspect it behaves this way to provide a "sensible default value" when the properties are missing from the request.

  You will have to set 'requiredSSHSpecified' and 'requiredFTPSpecified' to 'true' in the request. This will explicitly set 'requiredSSH' and 'requiredFTP' to 'false' as the request is translated.

  It may be that these "Specified" properties should have been set 'true' in the user object returned by 'getUserInformation'.

  I'll file an internal bug on this. Thanks for bringing it to our attention!

   

  -Vincent Drake

   

   
• 

  Laurie Street

  • October 31, 2019 00:00
  • Edited

  This works and makes sense. Shame the the values need to be specified even if they aren't being touched.

  Also really appreciate the SOAP API doco that has been put up on this site, really has helped with automation and streamlining processes. Great work!

  Just as an aside - I am unable to set the 'lastlogin' property. No matter what I try I am unable to reset it. I am unsure if it's simply not changeable or if I am doing something wrong. I am using Get-Date to specify 'right now' for the lastlogin, and the LastLoginSpecified value is $True.

  Cheers,

  Laurie

  0

Please sign in to leave a comment.