Authorization of LDAP users in bmcweb

[Alexander Amelkin]

16.10.2019 14:13, RAJESWARAN THILLAIGOVINDAN пишет:
>
> On 09-10-2019 23:25, Ed Tanous wrote:
>> I'd rather we discuss on the mailing list, so others can have input, and
>> we've documented our conversation for archival later.  I appreciate the
>> offer though.

That was a wise decision. Although it didn't help me here, it did 
clarify some things.

What I would like to know is: is LDAP authentication fully working in 
master now?

We're trying to configure it with Intel-BMC/openbmc/intel for wolfpass 
target and it looks like LDAP support is somehow incomplete.

I configure binding to the server and try to authenticate with an LDAP 
user in WebUI, but I get a message in journalctl that requirement "user 
in group redfish" is not met by the user, and an "Invalid username or 
password" appears in the web browser. I don't see any means in WebUI to 
include any remote users to 'redfish' group. Adding the user to an LDAP 
group 'redfish' doesn't help (why would it?).

Trying to log in to shell also fails without any diagnostics, just 
"authentication failure".

After reading the user_management.md I would expect the following scenario:

1. I enter credentials for LDAP binding
2. I list LDAP groups with their respective OpenBMC privileges
3. I log in with an LDAP user without any errors and get the privilege 
according to the LDAP/OpenBMC group mapping set up in 2)

Currently it doesn't work like that for me.

So the question is: is it Intel-BMC/openbmc repo that is not up to date 
or is it LDAP support in openbmc/openbmc also incomplete? Or am I doing 
anything wrong?

Thank you for any help.