LDAP authentication is not working

Thomaiyar, Richard Marian richard.marian.thomaiyar at linux.intel.com
Wed May 20 01:21:17 AEST 2020


Agree. As for LDAP user we defined privilege related mapping only and 
not group based authentication restriction. I think adding group based 
authentication for ldap users immediately, is not good option, as it 
must be done with agreement from everyone.

Quick solution is to skip the pam_succeed_if check if it is local user 
using pam_localuser module. i.e. using user_unknown condition to skip 
the pam_succeed_if, we can skip the group check for ldap users, and 
still continue for local users.

Note: I am OK, if you want to revert the fix immediately, i can roll out 
the fix this weekend after testing.

Regards,

Richard


On 5/19/2020 3:35 PM, Ratan Gupta wrote:
> in the LDAP server and put the ldap user under the newly created 
> "redfish" group
> but that didn't help as same group is listed in both places(Local,LDAP)
>
> As I explained above local database will get priortize over LDAP
>
> Hence there would be failure. Now we have following option
>
> Priortize LDAP over Local if LDAP is enabled but in that case the same 
> problem will occur for the local user.
>
> We have upstream tagging is planned for this week and with the commit 
> below LDAP is broken
>
> (https://github.com/openbmc/bmcweb/commit/cd17b26c893ba9dd1dcb0d56d725f2892c57e125.) 
>
>
> Should we revert it or do you have any plans?
>
> Please let me know your thoughts. 


More information about the openbmc mailing list