LDAP authentication is not working

[Thomaiyar, Richard Marian]

Hi Ratan,

submitted a proper fix for the same

https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/32883 (depends 
https://gerrit.openbmc-project.xyz/c/openbmc/meta-phosphor/+/32901). 
Please verify the same and let me know your comments.

Regards,

Richard

On 5/19/2020 8:51 PM, Thomaiyar, Richard Marian wrote:
> Agree. As for LDAP user we defined privilege related mapping only and 
> not group based authentication restriction. I think adding group based 
> authentication for ldap users immediately, is not good option, as it 
> must be done with agreement from everyone.
>
> Quick solution is to skip the pam_succeed_if check if it is local user 
> using pam_localuser module. i.e. using user_unknown condition to skip 
> the pam_succeed_if, we can skip the group check for ldap users, and 
> still continue for local users.
>
> Note: I am OK, if you want to revert the fix immediately, i can roll 
> out the fix this weekend after testing.
>
> Regards,
>
> Richard
>
>
> On 5/19/2020 3:35 PM, Ratan Gupta wrote:
>> in the LDAP server and put the ldap user under the newly created 
>> "redfish" group
>> but that didn't help as same group is listed in both places(Local,LDAP)
>>
>> As I explained above local database will get priortize over LDAP
>>
>> Hence there would be failure. Now we have following option
>>
>> Priortize LDAP over Local if LDAP is enabled but in that case the 
>> same problem will occur for the local user.
>>
>> We have upstream tagging is planned for this week and with the commit 
>> below LDAP is broken
>>
>> (https://github.com/openbmc/bmcweb/commit/cd17b26c893ba9dd1dcb0d56d725f2892c57e125.) 
>>
>>
>> Should we revert it or do you have any plans?
>>
>> Please let me know your thoughts. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20200528/435b439c/attachment.htm>