User account password policy set for local accounts | NetApp | Page 1

untold cloud Feb 22, 2024, 1:04 PM

#

Hi All, Greetings!! Pls suggest and help..Need to use the netapp ansible module to get below data as in we get through netapp cli by using the command : security login role config show -role admin -instance

                                        Vserver: nas91
                                      Role Name: admin
               Minimum Username Length Required: 3
                         Username Alpha-Numeric: disabled
               Minimum Password Length Required: 8           
                         Password Alpha-Numeric: enabled

Minimum Number of Special Characters Required In
The Password: 0
Password Expires In (Days): 90
Require Initial Password Update on First Login: enabled
Maximum Number of Failed Attempts: 5
Maximum Lockout Period (Days): 0
Disallow Last 'N' Passwords : 8
Delay Between Password Changes (Days): 1
Delay after Each Failed Login Attempt (Secs): 4
Minimum Number of Lowercase Alphabetic Characters
Required in the Password: 0
Minimum Number of Uppercase Alphabetic Characters
Required in the Password: 0
Minimum Number of Digits Required in the Password: 0
Display Warning Message Days Prior to Password
Expiry (Days): unlimited
Account Expires in (Days): unlimited
Maximum Duration of Inactivity before Account
Expiration (Days): unlimited

ebon hill Feb 22, 2024, 3:04 PM

#

There is no native REST API endpoint for the role config. You can use the na_ontap_rest_cli module to query and manipulate the values.

- name: Get Role Config netapp.ontap.na_ontap_rest_cli: command: security/login/role/config verb: GET params: vserver: "{{ vserver }}" role: "{{ role }}" fields: vserver,role,username-minlength,username-alphanum,passwd-minlength,passwd-alphanum,passwd-min-special-chars,passwd-expiry-time,require-initial-passwd-update,max-failed-login-attempts,lockout-duration,disallowed-reuse,change-delay,delay-after-failed-login,passwd-min-lowercase-chars,passwd-min-uppercase-chars,passwd-min-digits,passwd-expiry-warn-time,account-expiry-time,account-inactive-limit register: roles

untold cloud Feb 22, 2024, 3:16 PM

#

Ok..Thanks .let me try.

untold cloud Feb 22, 2024, 4:19 PM

#

@ebon hill Hi, tried this. but it gives this error.

fatal: [host]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: 'vserver' is undefined\n\nThe error appears to be in '/user.yml': line 15, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n tasks:\n - name: Run ONTAP REST CLI command to get Telnet information\n ^ here\n"}

when I define vserver value then it asks me to define role, As these are the static values . currently, I am searching for one netapp cluster only... same I need for other clusters as well .

so please let me know how it will work.. verb: Get would fetch this info ? in my case.

untold cloud Feb 22, 2024, 4:58 PM

#

@vagrant blade could you please help here.

vagrant blade Feb 22, 2024, 6:59 PM

#

Can you show me what your playbook looks like

ebon hill Feb 23, 2024, 8:08 AM

#

This is basic Ansible stuff. I set vserver and role as variables in my example. Obviously you will have to adapt it to your use case. Either replace it with your values or set the variables to the needed values.
Yes "GET" will fetch the infos.

untold cloud Apr 24, 2024, 12:11 PM

#

Hi Mamoep, It's been working for me all this while, when I was using this below :

- name: Get autosupport role config params
  netapp.ontap.na_ontap_rest_cli:
    hostname: "{{ cluster_name }}"
    username: "{{ username }}"
    password: "{{ password }}"
    command: 'security/login/role/config'
    verb: 'GET'
    params:
      role: autosupport
      fields: passwd-minlength,passwd-min-special-chars,passwd-min-digits,max-failed-login-attempts,change-delay,disallowed-reuse,lockout-duration

It last worked some 2-3 days back. But, when I run today it says : [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)'),))"]. Use na_ontap_command for non-rest CLI."}

The complete error I get is this :
fatal: [host.com]: FAILED! => {"changed": false, "msg": "failed to connect to REST over host.com: ["Connection error: HTTPSConnectionPool(host='host.com', port=443): Max retries exceeded with url: /api/cluster?fields=version (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)'),))", "HTTPSConnectionPool(host='host.com', port=443): Max retries exceeded with url: /api/cluster?fields=version (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)'),))"]. Use na_ontap_command for non-rest CLI."}

ebon hill Apr 24, 2024, 12:14 PM

#

Looks like the webserver certificate of the cluster expired

untold cloud Apr 24, 2024, 12:15 PM

#

ok..Thanks for your prompt response. Let me check that.

ebon hill Apr 24, 2024, 12:16 PM

#

openssl s_client -connect clustername:443 | openssl x509 -noout -dates

untold cloud Apr 24, 2024, 12:20 PM

#

and this to run ? where

ebon hill Apr 24, 2024, 12:32 PM

#

on the host you run your Ansible playbook

untold cloud Apr 24, 2024, 12:41 PM

#

depth=0 CN = host.com, O = acc, C = NL
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = host.com, O = acc, C = NL
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN = host.com, O = acc, C = NL
verify return:1
notBefore=Apr 24 08:11:53 2024 GMT
notAfter=Apr 24 08:11:53 2025 GMT

ebon hill Apr 24, 2024, 12:46 PM

#

looks like you got a new cert but the intermediate and root certificates are not in the trust store of your ansible host

#

You should fix that if possible. If that is not possible you can set validate_certs: false in your task.
https://docs.ansible.com/ansible/latest/collections/netapp/ontap/na_ontap_rest_cli_module.html#parameter-validate_certs

untold cloud Apr 24, 2024, 12:53 PM

#

Ok..Thanks a lot !!
for now, am using validate_certs: false

untold cloud Jun 5, 2024, 1:28 PM

#

Hi @ebon hill Hope you are doing well, Would you please help me something with the below error.
I am encountering this below error after upgrading the netapp.ontap to 22.9.0.

TASK [check_role_policy : Get autosupport role config params] *******************************************************************************************************************************
fatal: [abc.com.com]: FAILED! => {"changed": false, "msg": "failed to connect to REST over ['server92-cluster_mgmt.abc.com.com', 'server02.abc.com.com', 'server01.abc.com.com', 'server11.abc.com.com', 'server12.abc.com.com']: ['Connection error: HTTPSConnectionPool(host="\'server92-cluster_mgmt.abc.com.com\',%20\'server02.abc.com.com\',%20\'server01.abc.com.com\',%20\'server11.abc.com.com\',%20\'server.abc.com.com\'", port=443): Max retries exceeded with url: /api/cluster?fields=version (Caused by NewConnectionError(\'<urllib3.connection.VerifiedHTTPSConnection object at 0x7f2518f42da0>: Failed to establish a new connection: [Errno -2] Name or service not known\',))', 'HTTPSConnectionPool(host="\'server92-cluster_mgmt.abc.com.com\',%20\'server02.abc.com.com\',%20\'server01.abc.com.com\',%20\'server11.abc.com.com\',%20\'server12.abc.com.com\'", port=443): Max retries exceeded with url: /api/cluster?fields=version (Caused by NewConnectionError(\'<urllib3.connection.VerifiedHTTPSConnection object at 0x7f2518f42da0>: Failed to establish a new connection: [Errno -2] Name or service not known\',))']. Use na_ontap_command for non-rest CLI."}

Thanks in advance.

ebon hill Jun 5, 2024, 1:37 PM

#

The error message looks like you gave an array to hostname instead of single machine

#User account password policy set for local accounts