OpenBMC LDAP server configuration assistance
Thomaiyar, Richard Marian
richard.marian.thomaiyar at linux.intel.com
Thu Sep 10 23:53:07 AEST 2020
Hi Donnie,
Didn't tested it in latest tree, but you already cross verified this
right -->
https://github.com/openbmc/openbmc-test-automation/blob/master/redfish/account_service/test_ldap_configuration.robot
++ Ratan & George.
Regards,
Richard
On 9/9/2020 10:02 PM, Gerhart, Donnie wrote:
>
> Hello OpenBMC Community\SMEs,
>
> We are investigating LDAP functionality on the 2.8 ‘top of tree’
> build; however, we are having some issues I believe you can help with
> straight away. Some of the many real failures we’ve encountered are:
>
> * Bricked system due to locking out all users
>
<Richard> You meant to say even `root` user is locked out is OpenBMC
repo master or made more changes. By default user lock out is disabled,
and still won't lock root user to avoid DOS attack.
>
> * Ladap_result() failed: Can’t contact LDAP server
> o Believe we’ve fixed this one
>
<Richard> Hope this as LDAP configuration issue you faced, and not
related to OpenBMC code as such.
>
> * Logins are restricted to the group priv-admin of but user
> ‘testuser’ is not a member
>
<Richard>: Is this failure due to SSH login. Because SSH won't make use
of ldap privilege mapping. You may need to change
https://github.com/openbmc/meta-phosphor/blob/master/recipes-core/dropbear/dropbear/dropbear.default
if needs LDAP testing in SSH.
Have you tried bmcweb LDAP login ? Whether you are able to succeed in that ?
> * Pam_authenticate() failed, rc=7, Authentication failure
> * Bad PAM password attempt for ‘testuser’ from: <LDAP server IP>
>
> Some of these issues we’ve worked through; however, some are still
> dogging us. To that end, can someone possibly list\post a basic LDAP
> server LDIF file with a single user, privilege role and group mapping
> that you’ve successfully used with OpenBMC? We assume we are stuck on
> some trivial LDAP server topology anomaly that is completely escaping
> us at the moment.
>
> As an fyi we have looked at:
>
> 1. Gone through everything obviously ‘ldap’ in the mailing lists:
> https://lists.ozlabs.org/pipermail/openbmc/
> 2. Looked at OpenBMC learning series:
> https://github.com/openbmc/openbmc/wiki/Presentations
> 3. Gone through the documents here:
> https://github.com/openbmc/docs/blob/master/architecture/user-management.md
> 4. Looked at ldap tests and server:
> https://github.com/openbmc/openbmc-test-automation
> 5. Spent more time tweaking Linux files and creating ldap server
> configs that I care to admit 😊
>
> BIG thanks in advance!
>
> Best,
>
> Donnie
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20200910/37da5071/attachment.htm>
More information about the openbmc
mailing list