<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hi Ratan, <br>
</p>
<p>submitted a proper fix for the same <br>
</p>
<p><a
href="https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/32883">https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/32883</a>
(depends <a href="https://gerrit.openbmc-project.xyz/c/openbmc/meta-phosphor/+/32901" target="_blank" rel="noopener" class="style-scope gr-linked-text" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-weight: 400; font-stretch: inherit; font-size: 13px; line-height: inherit; font-family: Roboto, -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; vertical-align: baseline; color: rgb(42, 102, 217); letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: pre-wrap; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255);">https://gerrit.openbmc-project.xyz/c/openbmc/meta-phosphor/+/32901</a>).
Please verify the same and let me know your comments. <br>
</p>
<p>Regards,</p>
<p>Richard<br>
</p>
<div class="moz-cite-prefix">On 5/19/2020 8:51 PM, Thomaiyar,
Richard Marian wrote:<br>
</div>
<blockquote type="cite"
cite="mid:9e6d226f-fb2a-4d1e-f68f-826d958e85ec@linux.intel.com">Agree.
As for LDAP user we defined privilege related mapping only and not
group based authentication restriction. I think adding group based
authentication for ldap users immediately, is not good option, as
it must be done with agreement from everyone.
<br>
<br>
Quick solution is to skip the pam_succeed_if check if it is local
user using pam_localuser module. i.e. using user_unknown condition
to skip the pam_succeed_if, we can skip the group check for ldap
users, and still continue for local users.
<br>
<br>
Note: I am OK, if you want to revert the fix immediately, i can
roll out the fix this weekend after testing.
<br>
<br>
Regards,
<br>
<br>
Richard
<br>
<br>
<br>
On 5/19/2020 3:35 PM, Ratan Gupta wrote:
<br>
<blockquote type="cite">in the LDAP server and put the ldap user
under the newly created "redfish" group
<br>
but that didn't help as same group is listed in both
places(Local,LDAP)
<br>
<br>
As I explained above local database will get priortize over LDAP
<br>
<br>
Hence there would be failure. Now we have following option
<br>
<br>
Priortize LDAP over Local if LDAP is enabled but in that case
the same problem will occur for the local user.
<br>
<br>
We have upstream tagging is planned for this week and with the
commit below LDAP is broken
<br>
<br>
(<a class="moz-txt-link-freetext" href="https://github.com/openbmc/bmcweb/commit/cd17b26c893ba9dd1dcb0d56d725f2892c57e125">https://github.com/openbmc/bmcweb/commit/cd17b26c893ba9dd1dcb0d56d725f2892c57e125</a>.)
<br>
<br>
Should we revert it or do you have any plans?
<br>
<br>
Please let me know your thoughts. </blockquote>
</blockquote>
</body>
</html>