<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:新細明體;
panose-1:2 2 5 0 0 0 0 0 0 0;}
@font-face
{font-family:細明體;
panose-1:2 2 5 9 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@新細明體";
panose-1:2 1 6 1 0 1 1 1 1 1;}
@font-face
{font-family:"\@細明體";
panose-1:2 1 6 9 0 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"新細明體",serif;}
tt
{mso-style-priority:99;
font-family:細明體;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"新細明體",serif;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle22
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="ZH-TW" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">Hi Alex:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">Yes, the patch does pretty much like what you described.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">I also agree that the it’s prone to group name conflicts (or group id conflicts) considering the pam_succeed_if module case.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">There is a LDAP mapping commit merged which handles local privileges and LDAP groups but it doesn’t cover this “redfish” group case.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">The applications which require authentication might also have similar issues with attempts to login with remote users.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">It would be good to consider resource conflicts (like group name/id) and have a more generic rule or direction like your suggestion for the applications which require authentication.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">Thank you.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">Regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">Tyrone<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:11.0pt">From:</span></b><span lang="EN-US" style="font-size:11.0pt"> Alexander Amelkin <a.amelkin@yadro.com>
<br>
<b>Sent:</b> Wednesday, April 1, 2020 11:53 PM<br>
<b>To:</b> CS20 KFTing <KFTING@nuvoton.com>; openbmc@lists.ozlabs.org<br>
<b>Subject:</b> Re: Authorization of LDAP users in bmcweb<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span lang="EN-US">01.04.2020 10:40, CS20 KFTing пишет:<o:p></o:p></span></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span lang="EN-US">Hi Alex:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Please help try the patch from <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_Nuvoton-2DIsrael_openbmc_blob_runbmc_meta-2Dquanta_meta-2Dolympus-2Dnuvoton_recipes-2Dextended_pam_libpam_pam-5Fsucceed-5Fif-5Fsupport-5Fldap-5Fuser-5Flogin.patch&d=DwMDaQ&c=ue8mO8zgC4VZ4q_aNVKt8G9MC01UFDmisvMR1k-EoDM&r=kGibSCEQz-PilnW-r9KNT7_zWJXJNtnSK5aYZCe7SVs&m=NvY0y5qgeVYgwBUmgPJn9gfuklkZu11eTEYkJtwUePc&s=Oixt4eJ2mGZGfFEgNxUIONqQt_5o-xNktgmbbF_nQbc&e=">
https://github.com/Nuvoton-Israel/openbmc/blob/runbmc/meta-quanta/meta-olympus-nuvoton/recipes-extended/pam/libpam/pam_succeed_if_support_ldap_user_login.patch</a> to libpam and see how it goes.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Besides the patch, the user from the ldap server needs to be in the “redfish” group in the ldap server database and it’s already done according to your description.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">The requirement "user in group redfish" is controlled by the pam_succeed_if module when a user tries to login via WebUI and the original implementation in pam_succeed_if module has some limitation on group identification.<o:p></o:p></span></p>
</blockquote>
<p class="MsoNormal"><span lang="EN-US" style="font-family:"新細明體",serif">We've tested your patch. It works, but not every time.<o:p></o:p></span></p>
<p><span lang="EN-US">I suspect that the groups check leads to requesting all groups from LDAP, and that takes a lot of time in our setup so authentication times out and fails. When I repeat the auth request, the list of groups is already in the memory and
so authentication completes successfully.<o:p></o:p></span></p>
<p><span lang="EN-US">I believe that there should be an easy way to make a mapping between LDAP and local permission (such as 'redfish', etc.) and privilege (such as 'priv-admin', etc.) groups. I'd say that there must be no need to add a user to LDAP `redfish`
group, and I personally dislike that approach because it is prone to group name clashes. What I think would be great is have in WebUI a table like this:<o:p></o:p></span></p>
<p><tt><span lang="EN-US">LDAP Group | Privilege level | SSH | Redfish | Web</span></tt><span lang="EN-US" style="font-family:細明體"><br>
<tt>===========|=================|=====|=========|====</tt><br>
<tt>SomeGroup | Administrator | Y | Y | Y</tt><br>
<tt>OtherGroup | Operator | N | Y | Y</tt></span><span lang="EN-US"><o:p></o:p></span></p>
<p><tt><span lang="EN-US">* IPMI is not listed because it requires plain-text passwords and can't be authenticated against LDAP</span></tt><span lang="EN-US"><o:p></o:p></span></p>
<p><span lang="EN-US">What do you think?<o:p></o:p></span></p>
<p><span lang="EN-US">WBR, Alexander<o:p></o:p></span></p>
</div>
<hr align="center" width="100%">
<span style="font-size:12pt;line-height:0.7;font-family: 'Arial'; color:#808080">The privileged confidential information contained in this email is intended for use only by the addressees as indicated by the original sender of this email. If you are not the
addressee indicated in this email or are not responsible for delivery of the email to such a person, please kindly reply to the sender indicating this fact and delete all copies of it from your computer and network server immediately. Your cooperation is highly
appreciated. It is advised that any unauthorized use of confidential information of Nuvoton is strictly prohibited; and any information in this email irrelevant to the official business of Nuvoton shall be deemed as neither given nor endorsed by Nuvoton.
</span>
</body>
</html>