LDAP authentication is not working

Thomaiyar, Richard Marian richard.marian.thomaiyar at linux.intel.com
Thu May 28 17:01:24 AEST 2020

Hi Ratan,

submitted a proper fix for the same

https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/32883 (depends 
Please verify the same and let me know your comments.



On 5/19/2020 8:51 PM, Thomaiyar, Richard Marian wrote:
> Agree. As for LDAP user we defined privilege related mapping only and 
> not group based authentication restriction. I think adding group based 
> authentication for ldap users immediately, is not good option, as it 
> must be done with agreement from everyone.
> Quick solution is to skip the pam_succeed_if check if it is local user 
> using pam_localuser module. i.e. using user_unknown condition to skip 
> the pam_succeed_if, we can skip the group check for ldap users, and 
> still continue for local users.
> Note: I am OK, if you want to revert the fix immediately, i can roll 
> out the fix this weekend after testing.
> Regards,
> Richard
> On 5/19/2020 3:35 PM, Ratan Gupta wrote:
>> in the LDAP server and put the ldap user under the newly created 
>> "redfish" group
>> but that didn't help as same group is listed in both places(Local,LDAP)
>> As I explained above local database will get priortize over LDAP
>> Hence there would be failure. Now we have following option
>> Priortize LDAP over Local if LDAP is enabled but in that case the 
>> same problem will occur for the local user.
>> We have upstream tagging is planned for this week and with the commit 
>> below LDAP is broken
>> (https://github.com/openbmc/bmcweb/commit/cd17b26c893ba9dd1dcb0d56d725f2892c57e125.) 
>> Should we revert it or do you have any plans?
>> Please let me know your thoughts. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20200528/435b439c/attachment.htm>

More information about the openbmc mailing list