Authorization of LDAP users in bmcweb:
RAJESWARAN THILLAIGOVINDAN
rajeswaran.thillaigovindan at gmail.com
Sat Sep 28 04:59:39 AEST 2019
We would like to discuss the following points raised in the gerrit
commit 23538 (https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/23538).
1. Why is LDAP any different than non-ldap in phosphor-user-manager? Do
LDAP users not get registered with the system? That seems odd.
LDAP users are not managed by OpenBMC. Unlike local users, privileges
are assigned directly to the LDAP user.
For LDAP user, it is a two step process:
- Get the Group Name
- Look for the privilege for the group
For local users
- Each user is directly part of group(priv-admin/priv-user/priv-callback).
Why D-Bus objects are not created for LDAP users?
There is no use-case for it. Few reasons are listed below:
-> LDAP is used for authentication and not for user management
-> If we show LDAP users, OpenBMC admin cannot do anything for those
users
-> LDAP notifications are not there. So, we cannot update the LDAP
user object.
https://www.openldap.org/lists/openldap-technical/201008/msg00175.html
https://lists.arthurdejong.org/nss-pam-ldapd-users/2019/msg00035.html
We can look for sync option by using some other opensource tool;
but do we require that much complexity?
2. All of the matches you've listed seem to already be present in
bmcweb. I'm confused what exactly you're adding.
We have added matches only for local users, who have D-Bus objects.
For LDAP users, D-Bus objects are not created. Hence, they will not be
found in the live user-role map.
For LDAP users, we need to make the call for getpw, getgr, getgr_name
using (ldap_nss module)
which internally makes a call to the LDAP and get the group name.
OpenBMC manages LDAP role group and privileges and a D-Bus object is
created for each such role group. Like live user-role map for local
users, we need a live role group - privilege map for LDAP users.
3. The above makes me think that we're logging in users that don't
necessarily have a username on the system, which seems really contrary
to the design, where PAM is used to interchange user privileges. What
you suggest above seems to be breaking that?
I am sorry that I could not understand what you mean by "PAM is used to
interchange user privileges". PAM is used only for authentication.
For getting the privileges, we shall call getpw_nam and getgr_id. For
local users, these APIs are not used as D-Bus object has this info.
For LDAP users, we call getpw, getgr, getgr_name using (ldap_nss module)
which internally calls LDAP and get the results.
The user management application provides the method GetUserInfo() to get
the local and LDAP user privileges. This method abstracts how the
privileges are stored and retrieved. This is as per the user-management
design.
We have discussed this in the community call around a year back.
More information about the openbmc
mailing list