Authorization of LDAP users in bmcweb:

Sat Sep 28 04:59:39 AEST 2019

We would like to discuss the following points raised in the gerrit 
commit 23538 (https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/23538).

1. Why is LDAP any different than non-ldap in phosphor-user-manager?  Do 
LDAP users not get registered with the system?  That seems odd.

LDAP users are not managed by OpenBMC. Unlike local users, privileges 
are assigned directly to the LDAP user.
For LDAP user, it is a two step process:
- Get the Group Name
- Look for the privilege for the group

For local users
- Each user is directly part of group(priv-admin/priv-user/priv-callback).

Why D-Bus objects are not created for LDAP users?

    There is no use-case for it. Few reasons are listed below:
    -> LDAP is used for authentication and not for user management
    -> If we show LDAP users, OpenBMC admin cannot do anything for those 
users
    -> LDAP notifications are not there. So, we cannot update the LDAP 
user object.
https://www.openldap.org/lists/openldap-technical/201008/msg00175.html
https://lists.arthurdejong.org/nss-pam-ldapd-users/2019/msg00035.html
       We can look for sync option by using some other opensource tool; 
but do we require that much complexity?

2. All of the matches you've listed seem to already be present in 
bmcweb.  I'm confused what exactly you're adding.

We have added matches only for local users, who have D-Bus objects.

For LDAP users, D-Bus objects are not created. Hence, they will not be 
found in the live user-role map.

For LDAP users, we need to make the call for getpw, getgr, getgr_name 
using (ldap_nss module)
which internally makes a call to the LDAP and get the group name.

OpenBMC manages LDAP role group and privileges and a D-Bus object is 
created for each such role group. Like live user-role map for local 
users, we need a live role group - privilege map for LDAP users.

3. The above makes me think that we're logging in users that don't 
necessarily have a username on the system, which seems really contrary 
to the design, where PAM is used to interchange user privileges.  What 
you suggest above seems to be breaking that?

I am sorry that I could not understand what you mean by "PAM is used to 
interchange user privileges". PAM is used only for authentication.

For getting the privileges, we shall call getpw_nam and getgr_id. For 
local users, these APIs are not used as D-Bus object has this info.

For LDAP users, we call getpw, getgr, getgr_name using (ldap_nss module) 
which internally calls LDAP and get the results.

The user management application provides the method GetUserInfo() to get 
the local and LDAP user privileges. This method abstracts how the 
privileges are stored and retrieved. This is as per the user-management 
design.

We have discussed this in the community call around a year back.