fortios_system_admin "403 Forbidden" on PUT and password change problem about ansible-galaxy-fortios-collection HOT 12 CLOSED

@onurbrc thanks Bruno,
yes with Fortigate, only raw ssh connection works:
I used to work it around like your way:
#72 (comment)
#72 (comment)

It looks really cumbersome with Fortigate CLI as we have to take care the specific commands to execute.

thanks again for sharing.
Link

from ansible-galaxy-fortios-collection.

ETA: 6/18/2020

from ansible-galaxy-fortios-collection.

hi @diLLec,

• password issue.

changing password via Ansible(cmdb) is not supported, we must use CLI or monitor APIs instead.

[httpsd 190 - 1592532203    error] _api_cmdb_v2_config[1204] -- Modification of the 'password' field of system.admin is forbidden.
[httpsd 190 - 1592532203    error] api_return_http_result[645] -- API error 403 raised

• trusthost1 issue.

the target must be a masked network.

- hosts: fortigate01
  connection: httpapi
  collections:
    - fortinet.fortios
  vars:
   vdom: "root"
   ansible_httpapi_use_ssl: yes
   ansible_httpapi_validate_certs: no
   ansible_httpapi_port: 443
  tasks:
  - name: Configure system admin.
    fortios_system_admin:
      vdom:  "{{ vdom }}"
      state: "present"
      system_admin:
         name: 'admin'
         trusthost1: '130.140.25.23/32'  <======watch out .

thanks,
Link.

from ansible-galaxy-fortios-collection.

Thanks @chillancezen. With which debug command the above mentioned httpsd messages are created? I think they tell much insight and would be very helpful in other cases.

from ansible-galaxy-fortios-collection.

@diLLec,

ssh to fortigate device then the shell is opened:

• Turn on debugging:

diagnose debug enable
diagnose debug cli 8
diagnose debug application httpsd -1

• Turn off debugging:

diagnose debug disable

yes it's helpful to address parameters issue in Ansible.

thanks,
Link

from ansible-galaxy-fortios-collection.

hi @diLLec Michael,

I now mark this issue closed. please fell free to reopen it in case of any issues.
we are glad to help.

thanks,
Link

from ansible-galaxy-fortios-collection.

hi @chillancezen,

I'm having the same issue to change admin's password using Ansible.
Does it still not possible using fortios_system_admin?
Could you please provide an example how to change admin's password using another method?

Thanks in advance.

from ansible-galaxy-fortios-collection.

hi @chillancezen,

I'm having the same issue to change admin's password using Ansible.
Does it still not possible using fortios_system_admin?
Could you please provide an example how to change admin's password using another method?

Thanks in advance.

hi @seohs7 ,

could you try raw curl command:

curl --insecure -X POST "https://192.168.190.132:443/api/v2/monitor/system/change-password/select?access_token=<your access token>" -H "accept: application/json" -H "Content-Type: application/x-www-form-urlencoded" -d "{ \"mkey\": \"<your user id>\", \"old_password\": \"<your old password>\", \"new_password\": \"<your new password>"}"

we are going to support this from Ansible in next major release.

from ansible-galaxy-fortios-collection.

Hi @chillancezen ,

Thank you for you response.
In this case, I must generate an access_token in the first place. How can I do that programmatically? Because I'd love to use only Ansible via fortios_* modules or via API request through native uri module.

My workflow starts as the following:
1 - Instantiate a FGT-VM via Terraform using a template
2 - Run basic configuration using Ansible:
2.1 - First admin's password change
2.2 - Replace security banner alert message
2.3 - etc...

So, is it possible to change the admin's password during the step 2 to avoid the interaction with the prompt as following:

New Password:
Confirm Password: 

Thank you in advance.

from ansible-galaxy-fortios-collection.

we are sorry that we don't have a good programable way to generate a token for future use.

but we are still able to do change admin's password via the following commands:

curl --insecure -X POST https://192.168.190.132/logincheck -H 'Cache-Control: no-cache' -H 'Content-Type: application/x-www-form-urlencoded' -d 'username=admin&secretkey=<your admin password>&ajax=1' -c /tmp/cookies

curl -b /tmp/cookies --insecure -X POST "https://192.168.190.132:443/api/v2/monitor/system/change-password?vdom=root" -H "accept: application/json" -H "X-CSRFTOKEN: `cat /tmp/cookies |grep 'ccsrftoken' |grep -v 'ccsrftoken_' |sed 's/\t/ /g' |cut -d ' ' -f 7|tr -d '"'`" -H "Content-Type: application/x-www-form-urlencoded" -d "{ \"mkey\": \"admin\", \"old_password\": \"<old_password>\", \"new_password\": \"<new_password>\"}"

it looks a little complicated but we don't have a better way to do so.
we are going to implement this function from anisble , #74 is tracking this.

thanks,
Link.

from ansible-galaxy-fortios-collection.

Hello @chillancezen,

Your workaround works fine for me.
Thanks.

from ansible-galaxy-fortios-collection.

Hi @chillancezen,

I'm using my workaround below and it worked as well.

    # Using expect (shell like) to interact with target
    - name: Using native shell for the 1st password changing interaction
      shell: |
        set timeout 20
        spawn ssh -o StrictHostKeyChecking=no {{ login | default('admin') }}@{{ mgmtIp | default(ansible_host) }}        
        
        expect "New*Password*"
        send "admin\n"
        
        expect "\nConfirm*"
        send "admin\n"
        
        expect "\n{{ inventory_hostname }}*"
        
        send "\n"
        
        exit 0
      args:
        executable: /usr/bin/expect
      delegate_to: localhost

Thanks.

from ansible-galaxy-fortios-collection.