Questions about login with LDAP user.

Kevin WM Chen kevinwm.chen at insyde.com
Wed Jul 10 13:45:00 AEST 2019 

Hi Ratan,


My answers are embedded with your questions as below:

1. Please get me the redfish commands which you used to configure the LDAP.

Ans: We use openbmctool.py 
(https://github.com/openbmc/openbmc-tools/blob/master/thalerj/openbmctool.py) 
to configure LDAP.
         Due to unfamiliarity with OpenBmc, please help to list the 
"redfish commands" to configure LDAP.

2. I just want to know the following info:
=> What is your backend LDAP server(AD/openLDAP)?

Ans: The backend LDAP server we use is openLDAP.

=> Did you try to connect your LDAP server with some other external LDAP 
client? I normally use the ldapsearch(opensource utility).
        But there are some GUI based clients(jxplorer) also.

Ans: We can use ldapsearch to query the user/group of the bindDN on the 
server.


By the way, we have revised the openbmctool as follows:

As the function "enableLDAP" in openbmctool.py hasn't supported 
properties "GroupNameAttribute" and "UserNameAttribute" yet,
we modify the function to accept those two arguments as below.

diff --git a/thalerj/openbmctool.py b/thalerj/openbmctool.py
index c2bce07..834d812 100755
--- a/thalerj/openbmctool.py
+++ b/thalerj/openbmctool.py
@@ -2595,7 +2595,15 @@ def enableLDAP(host, args, session):
              'OpenLDAP' : 
'xyz.openbmc_project.User.Ldap.Create.Type.OpenLdap'
              }

-    data = {"data": [args.uri, args.bindDN, args.baseDN, 
args.bindPassword, scope[args.scope], serverType[args.serverType]]}
+    usernameAttribute = ""
+    if args.usernameAttribute:
+        usernameAttribute = args.usernameAttribute
+
+    groupnameAttribute = ""
+    if args.groupnameAttribute:
+        groupnameAttribute = args.groupnameAttribute
+
+    data = {"data": [args.uri, args.bindDN, args.baseDN, 
args.bindPassword, scope[args.scope], serverType[args.serverType], 
usernameAttribute, groupnameAttribute]}

      try:
          res = session.post(url, headers=jsonHeader, json=data, 
verify=False, timeout=baseTimeout)
@@ -3915,6 +3923,8 @@ def createCommandParser():
              help='Specifies the search scope:subtree, one level or 
base object.')
      parser_ldap_config.add_argument("-t", "--serverType", 
choices=['ActiveDirectory','OpenLDAP'],
              help='Specifies the configured server is 
ActiveDirectory(AD) or OpenLdap')
+    parser_ldap_config.add_argument("-u", "--usernameAttribute", 
required=True, help="usernameAttribute")
+    parser_ldap_config.add_argument("-g", "--groupnameAttribute", 
required=True, help="groupnameAttribute")
      parser_ldap_config.set_defaults(func=enableLDAP)

      # disable LDAP


Thank you.

Kevin WM Chen


On 7/8/19 4:27 PM, Ratan Gupta wrote:
>
> Hi Kevin,
>
> Please get me the redfish commands which you used to configure the LDAP.
>
> I just want to know the following info:
> => What is your backend LDAP server(AD/openLDAP)?
> => Did you try to connect your LDAP server with some other external 
> LDAP client? I normally use the ldapsearch(opensource utility).
>        But there are some GUI based clients(jxplorer) also.
>
> Ratan
>
> On 05/07/19 3:32 PM, Kevin WM Chen wrote:
>>
>> Hi Ratan,
>>
>>
>> This is Kevin with Insyde, a software vendor for BIOS and BMC.
>>
>> We are now elaborating on enabling centralized user authentication 
>> based on LDAP service for OpenBMC v2.6.
>>
>> We made some progress but cannot make the user successfully logging 
>> via bmcweb.
>>
>> Our platform to run OpenBMC is ast2500evb.
>>
>> The debug log I embedded into bmcweb shows that pam_tally2.so did not 
>> find LDAP user and this caused login via bmcweb failed.
>>
>> The package checkout points is as below:
>> bmcweb: b97b9c3600
>> phosphor-user-manager: 95a2931473
>> phosphor-dbus-interfaces: 096a5af0a3
>> phosphor-webui: 511a2bbc55
>>
>>
>> Please advise us how to fix the problem, or if there is any document 
>> available, please let us know.
>>
>> Thank you,
>>
>>
>> Kevin WM Chen
>>
>> -- 
>> Kevin WM Chen 陳韋民
>> Insyde Software Corp.
>> Email :kevinwm.chen at insyde.com
>> Tel : +886-2-6608-3688 # 8562

-- 
Kevin WM Chen 陳韋民
Insyde Software Corp.
Email : kevinwm.chen at insyde.com
Tel : +886-2-6608-3688 # 8562

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20190710/2fdd279c/attachment-0001.htm>

More information about the openbmc mailing list