LDAP authentication is not working

Ratan Gupta ratagupt at linux.vnet.ibm.com
Tue May 19 20:05:57 AEST 2020


Hi Richard,

This is regarding the commit 
https://github.com/openbmc/bmcweb/commit/cd17b26c893ba9dd1dcb0d56d725f2892c57e125.

where "user without having redfish group user is not authenticated to 
query the details, and login will fail"

As per the pam authentication for the ldap user it gets the user details 
through pam_ldap module
which internally uses standard linux api (getpwnam_r), to fetch the user 
details like(group id of the group
which the LDAP/Local user is tied to)

Now once user gets authenticated by the first pam auth module, second 
auth module(pam_succeed_if.so) gets eXecuted
in following order

https://github.com/linux-pam/linux-pam/blob/c6bef96651ee861baf099a36f0cb1fd4d36669ca/libpam/pam_modutil_ingroup.c#L81
https://github.com/rhuitl/uClinuX/blob/master/lib/libpam/modules/pam_succeed_if/pam_succeed_if.c#L186
https://github.com/linux-pam/linux-pam/blob/955b3e2f100205be2db4358e9c812de2ae453b8e/libpam/pam_modutil_getgrnam.c#L56

getgrnam_r("groupname") will fetch the groupID of the given group name 
in following order(as per the configuration)
=> Local
=> LDAP

We created the new LDAP group named "redfish" in the LDAP server and put 
the ldap user under the newly created "redfish" group
but that didn't help as same group is listed in both places(Local,LDAP)

As I explained above local database will get priortize over LDAP

Hence there would be failure. Now we have following option

Priortize LDAP over Local if LDAP is enabled but in that case the same 
problem will occur for the local user.

We have upstream tagging is planned for this week and with the commit 
below LDAP is broken

(https://github.com/openbmc/bmcweb/commit/cd17b26c893ba9dd1dcb0d56d725f2892c57e125.)

Should we revert it or do you have any plans?

Please let me know your thoughts.

Regards
Ratan Gupta



More information about the openbmc mailing list