Authorization of LDAP users in bmcweb

CS20 KFTing KFTING at nuvoton.com
Mon Apr 6 11:49:46 AEST 2020


Hi Alex:

Yes, the patch does pretty much like what you described.

I also agree that the it’s prone to group name conflicts (or group id conflicts) considering the pam_succeed_if module case.

There is a LDAP mapping commit merged which handles local privileges and LDAP groups but it doesn’t cover this “redfish” group case.

The applications which require authentication might also have similar issues with attempts to login with remote users.

It would be good to consider resource conflicts (like group name/id) and have a more generic rule or direction like your suggestion for the applications which require authentication.

Thank you.

Regards,
Tyrone

From: Alexander Amelkin <a.amelkin at yadro.com>
Sent: Wednesday, April 1, 2020 11:53 PM
To: CS20 KFTing <KFTING at nuvoton.com>; openbmc at lists.ozlabs.org
Subject: Re: Authorization of LDAP users in bmcweb

01.04.2020 10:40, CS20 KFTing пишет:
Hi Alex:

Please help try the patch from https://github.com/Nuvoton-Israel/openbmc/blob/runbmc/meta-quanta/meta-olympus-nuvoton/recipes-extended/pam/libpam/pam_succeed_if_support_ldap_user_login.patch<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_Nuvoton-2DIsrael_openbmc_blob_runbmc_meta-2Dquanta_meta-2Dolympus-2Dnuvoton_recipes-2Dextended_pam_libpam_pam-5Fsucceed-5Fif-5Fsupport-5Fldap-5Fuser-5Flogin.patch&d=DwMDaQ&c=ue8mO8zgC4VZ4q_aNVKt8G9MC01UFDmisvMR1k-EoDM&r=kGibSCEQz-PilnW-r9KNT7_zWJXJNtnSK5aYZCe7SVs&m=NvY0y5qgeVYgwBUmgPJn9gfuklkZu11eTEYkJtwUePc&s=Oixt4eJ2mGZGfFEgNxUIONqQt_5o-xNktgmbbF_nQbc&e=> to libpam and see how it goes.

Besides the patch, the user from the ldap server needs to be in the “redfish” group in the ldap server database and it’s already done according to your description.

The requirement "user in group redfish" is controlled by the pam_succeed_if module when a user tries to login via WebUI and the original implementation in pam_succeed_if module has some limitation on group identification.
We've tested your patch. It works, but not every time.

I suspect that the groups check leads to requesting all groups from LDAP, and that takes a lot of time in our setup so authentication times out and fails. When I repeat the auth request, the list of groups is already in the memory and so authentication completes successfully.

I believe that there should be an easy way to make a mapping between LDAP and local permission (such as 'redfish', etc.) and privilege (such as 'priv-admin', etc.) groups. I'd say that there must be no need to add a user to LDAP `redfish` group, and I personally dislike that approach because it is prone to group name clashes. What I think would be great is have in WebUI a table like this:

LDAP Group | Privilege level | SSH | Redfish | Web
===========|=================|=====|=========|====
SomeGroup  | Administrator   |  Y  |    Y    |  Y
OtherGroup | Operator        |  N  |    Y    |  Y

* IPMI is not listed because it requires plain-text passwords and can't be authenticated against LDAP

What do you think?

WBR, Alexander

________________________________
The privileged confidential information contained in this email is intended for use only by the addressees as indicated by the original sender of this email. If you are not the addressee indicated in this email or are not responsible for delivery of the email to such a person, please kindly reply to the sender indicating this fact and delete all copies of it from your computer and network server immediately. Your cooperation is highly appreciated. It is advised that any unauthorized use of confidential information of Nuvoton is strictly prohibited; and any information in this email irrelevant to the official business of Nuvoton shall be deemed as neither given nor endorsed by Nuvoton.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20200406/307f434c/attachment.htm>


More information about the openbmc mailing list