LDAP authentication is not working
Thomaiyar, Richard Marian
richard.marian.thomaiyar at linux.intel.com
Thu May 28 17:01:24 AEST 2020
Hi Ratan,
submitted a proper fix for the same
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/32883 (depends
https://gerrit.openbmc-project.xyz/c/openbmc/meta-phosphor/+/32901).
Please verify the same and let me know your comments.
Regards,
Richard
On 5/19/2020 8:51 PM, Thomaiyar, Richard Marian wrote:
> Agree. As for LDAP user we defined privilege related mapping only and
> not group based authentication restriction. I think adding group based
> authentication for ldap users immediately, is not good option, as it
> must be done with agreement from everyone.
>
> Quick solution is to skip the pam_succeed_if check if it is local user
> using pam_localuser module. i.e. using user_unknown condition to skip
> the pam_succeed_if, we can skip the group check for ldap users, and
> still continue for local users.
>
> Note: I am OK, if you want to revert the fix immediately, i can roll
> out the fix this weekend after testing.
>
> Regards,
>
> Richard
>
>
> On 5/19/2020 3:35 PM, Ratan Gupta wrote:
>> in the LDAP server and put the ldap user under the newly created
>> "redfish" group
>> but that didn't help as same group is listed in both places(Local,LDAP)
>>
>> As I explained above local database will get priortize over LDAP
>>
>> Hence there would be failure. Now we have following option
>>
>> Priortize LDAP over Local if LDAP is enabled but in that case the
>> same problem will occur for the local user.
>>
>> We have upstream tagging is planned for this week and with the commit
>> below LDAP is broken
>>
>> (https://github.com/openbmc/bmcweb/commit/cd17b26c893ba9dd1dcb0d56d725f2892c57e125.)
>>
>>
>> Should we revert it or do you have any plans?
>>
>> Please let me know your thoughts.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20200528/435b439c/attachment.htm>
More information about the openbmc
mailing list