Questions about login with LDAP user.

Ratan Gupta ratagupt at linux.vnet.ibm.com
Fri Jul 12 12:19:51 AEST 2019 

Hi Kevin,

Thanks for sharing the info.

We are in mid of updating the openbmctool for the LDAP,would share the 
commit once it is done.

Regarding the redfish commands, You can use the following link

*https://pastebin.com/ibX5nyAc*

If you still hit the issue, please share the output of the ldapsearch 
command.

eg: ldapsearch -d 2 -H ldap://ldaptest.abc.com/ -x -W -D "<bind_dn>" -b 
"<base_dn>" "(objectclass=*)"

Ratan

On 10/07/19 9:15 AM, Kevin WM Chen wrote:
>
> Hi Ratan,
>
>
> My answers are embedded with your questions as below:
>
> 1. Please get me the redfish commands which you used to configure the 
> LDAP.
>
> Ans: We use openbmctool.py 
> (https://github.com/openbmc/openbmc-tools/blob/master/thalerj/openbmctool.py) 
> to configure LDAP.
>         Due to unfamiliarity with OpenBmc, please help to list the 
> "redfish commands" to configure LDAP.
>
> 2. I just want to know the following info:
> => What is your backend LDAP server(AD/openLDAP)?
>
> Ans: The backend LDAP server we use is openLDAP.
>
> => Did you try to connect your LDAP server with some other external 
> LDAP client? I normally use the ldapsearch(opensource utility).
>        But there are some GUI based clients(jxplorer) also.
>
> Ans: We can use ldapsearch to query the user/group of the bindDN on 
> the server.
>
>
> By the way, we have revised the openbmctool as follows:
>
> As the function "enableLDAP" in openbmctool.py hasn't supported 
> properties "GroupNameAttribute" and "UserNameAttribute" yet,
> we modify the function to accept those two arguments as below.
>
> diff --git a/thalerj/openbmctool.py b/thalerj/openbmctool.py
> index c2bce07..834d812 100755
> --- a/thalerj/openbmctool.py
> +++ b/thalerj/openbmctool.py
> @@ -2595,7 +2595,15 @@ def enableLDAP(host, args, session):
>              'OpenLDAP' : 
> 'xyz.openbmc_project.User.Ldap.Create.Type.OpenLdap'
>              }
>
> -    data = {"data": [args.uri, args.bindDN, args.baseDN, 
> args.bindPassword, scope[args.scope], serverType[args.serverType]]}
> +    usernameAttribute = ""
> +    if args.usernameAttribute:
> +        usernameAttribute = args.usernameAttribute
> +
> +    groupnameAttribute = ""
> +    if args.groupnameAttribute:
> +        groupnameAttribute = args.groupnameAttribute
> +
> +    data = {"data": [args.uri, args.bindDN, args.baseDN, 
> args.bindPassword, scope[args.scope], serverType[args.serverType], 
> usernameAttribute, groupnameAttribute]}
>
>      try:
>          res = session.post(url, headers=jsonHeader, json=data, 
> verify=False, timeout=baseTimeout)
> @@ -3915,6 +3923,8 @@ def createCommandParser():
>              help='Specifies the search scope:subtree, one level or 
> base object.')
>      parser_ldap_config.add_argument("-t", "--serverType", 
> choices=['ActiveDirectory','OpenLDAP'],
>              help='Specifies the configured server is 
> ActiveDirectory(AD) or OpenLdap')
> +    parser_ldap_config.add_argument("-u", "--usernameAttribute", 
> required=True, help="usernameAttribute")
> +    parser_ldap_config.add_argument("-g", "--groupnameAttribute", 
> required=True, help="groupnameAttribute")
>      parser_ldap_config.set_defaults(func=enableLDAP)
>
>      # disable LDAP
>
>
> Thank you.
>
> Kevin WM Chen
>
>
> On 7/8/19 4:27 PM, Ratan Gupta wrote:
>>
>> Hi Kevin,
>>
>> Please get me the redfish commands which you used to configure the LDAP.
>>
>> I just want to know the following info:
>> => What is your backend LDAP server(AD/openLDAP)?
>> => Did you try to connect your LDAP server with some other external 
>> LDAP client? I normally use the ldapsearch(opensource utility).
>>        But there are some GUI based clients(jxplorer) also.
>>
>> Ratan
>>
>> On 05/07/19 3:32 PM, Kevin WM Chen wrote:
>>>
>>> Hi Ratan,
>>>
>>>
>>> This is Kevin with Insyde, a software vendor for BIOS and BMC.
>>>
>>> We are now elaborating on enabling centralized user authentication 
>>> based on LDAP service for OpenBMC v2.6.
>>>
>>> We made some progress but cannot make the user successfully logging 
>>> via bmcweb.
>>>
>>> Our platform to run OpenBMC is ast2500evb.
>>>
>>> The debug log I embedded into bmcweb shows that pam_tally2.so did 
>>> not find LDAP user and this caused login via bmcweb failed.
>>>
>>> The package checkout points is as below:
>>> bmcweb: b97b9c3600
>>> phosphor-user-manager: 95a2931473
>>> phosphor-dbus-interfaces: 096a5af0a3
>>> phosphor-webui: 511a2bbc55
>>>
>>>
>>> Please advise us how to fix the problem, or if there is any document 
>>> available, please let us know.
>>>
>>> Thank you,
>>>
>>>
>>> Kevin WM Chen
>>>
>>> -- 
>>> Kevin WM Chen 陳韋民
>>> Insyde Software Corp.
>>> Email :kevinwm.chen at insyde.com
>>> Tel : +886-2-6608-3688 # 8562
> -- 
> Kevin WM Chen 陳韋民
> Insyde Software Corp.
> Email :kevinwm.chen at insyde.com
> Tel : +886-2-6608-3688 # 8562
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20190712/cb0aec6a/attachment.htm>

More information about the openbmc mailing list