Exposing LDAP groups via REST

Rebecca Broekhuis beccabroek at gmail.com
Thu Nov 8 04:35:54 AEDT 2018


Hi community,
I want to discuss a feature the front end team is hoping to find a way
to implement for LDAP configuration in the GUI. It raises some
security questions and I'm hoping for input. When adding a privilege
mapping (associating a LDAP role group with a privilege on the BMC)
via the GUI, the user needs to enter the group name as it is
configured on the LDAP server and the privilege that should be given
to this group. The GUI is able to provide a drop down of the available
privileges for the user to select, but the role group name must be
typed in. The challenge with this is that there is no confirmation
that the LDAP group name the user entered is valid besides trying to
perform actions as an LDAP user in the group after it is configured.

Working with the design team here at IBM, it was brought up that it
would be ideal (from a usability perspective) for the user to have a
drop down of the available LDAP groups. This would require using the
stored LDAP configuration in the back end to query for a list of
groups to display to the user.

As this would be the first instance in which we're doing something
like this with LDAP (using the given configuration to query the LDAP
server and display something to the user), it raises a couple of
questions:

1. Should there be an endpoint that allows retrieving information from
the LDAP server like this?
2. If so, who should be able to access?
Any input would be appreciated!

--Becca Shaw


More information about the openbmc mailing list