LDAP authentication is not working
Ratan Gupta
ratagupt at linux.vnet.ibm.com
Tue May 19 20:05:57 AEST 2020
Hi Richard,
This is regarding the commit
https://github.com/openbmc/bmcweb/commit/cd17b26c893ba9dd1dcb0d56d725f2892c57e125.
where "user without having redfish group user is not authenticated to
query the details, and login will fail"
As per the pam authentication for the ldap user it gets the user details
through pam_ldap module
which internally uses standard linux api (getpwnam_r), to fetch the user
details like(group id of the group
which the LDAP/Local user is tied to)
Now once user gets authenticated by the first pam auth module, second
auth module(pam_succeed_if.so) gets eXecuted
in following order
https://github.com/linux-pam/linux-pam/blob/c6bef96651ee861baf099a36f0cb1fd4d36669ca/libpam/pam_modutil_ingroup.c#L81
https://github.com/rhuitl/uClinuX/blob/master/lib/libpam/modules/pam_succeed_if/pam_succeed_if.c#L186
https://github.com/linux-pam/linux-pam/blob/955b3e2f100205be2db4358e9c812de2ae453b8e/libpam/pam_modutil_getgrnam.c#L56
getgrnam_r("groupname") will fetch the groupID of the given group name
in following order(as per the configuration)
=> Local
=> LDAP
We created the new LDAP group named "redfish" in the LDAP server and put
the ldap user under the newly created "redfish" group
but that didn't help as same group is listed in both places(Local,LDAP)
As I explained above local database will get priortize over LDAP
Hence there would be failure. Now we have following option
Priortize LDAP over Local if LDAP is enabled but in that case the same
problem will occur for the local user.
We have upstream tagging is planned for this week and with the commit
below LDAP is broken
(https://github.com/openbmc/bmcweb/commit/cd17b26c893ba9dd1dcb0d56d725f2892c57e125.)
Should we revert it or do you have any plans?
Please let me know your thoughts.
Regards
Ratan Gupta
More information about the openbmc
mailing list