Authorization of LDAP users in bmcweb
Alexander Amelkin
a.amelkin at yadro.com
Wed Apr 1 06:20:54 AEDT 2020
16.10.2019 14:13, RAJESWARAN THILLAIGOVINDAN пишет:
>
> On 09-10-2019 23:25, Ed Tanous wrote:
>> I'd rather we discuss on the mailing list, so others can have input, and
>> we've documented our conversation for archival later. I appreciate the
>> offer though.
That was a wise decision. Although it didn't help me here, it did
clarify some things.
What I would like to know is: is LDAP authentication fully working in
master now?
We're trying to configure it with Intel-BMC/openbmc/intel for wolfpass
target and it looks like LDAP support is somehow incomplete.
I configure binding to the server and try to authenticate with an LDAP
user in WebUI, but I get a message in journalctl that requirement "user
in group redfish" is not met by the user, and an "Invalid username or
password" appears in the web browser. I don't see any means in WebUI to
include any remote users to 'redfish' group. Adding the user to an LDAP
group 'redfish' doesn't help (why would it?).
Trying to log in to shell also fails without any diagnostics, just
"authentication failure".
After reading the user_management.md I would expect the following scenario:
1. I enter credentials for LDAP binding
2. I list LDAP groups with their respective OpenBMC privileges
3. I log in with an LDAP user without any errors and get the privilege
according to the LDAP/OpenBMC group mapping set up in 2)
Currently it doesn't work like that for me.
So the question is: is it Intel-BMC/openbmc repo that is not up to date
or is it LDAP support in openbmc/openbmc also incomplete? Or am I doing
anything wrong?
Thank you for any help.
More information about the openbmc
mailing list