OpenBMC LDAP server configuration assistance

Thomaiyar, Richard Marian richard.marian.thomaiyar at linux.intel.com
Thu Sep 10 23:53:07 AEST 2020


Hi Donnie,

Didn't tested it in latest tree, but you already cross verified this 
right --> 
https://github.com/openbmc/openbmc-test-automation/blob/master/redfish/account_service/test_ldap_configuration.robot

++ Ratan & George.

Regards,

Richard

On 9/9/2020 10:02 PM, Gerhart, Donnie wrote:
>
> Hello OpenBMC Community\SMEs,
>
> We are investigating LDAP functionality on the 2.8 ‘top of tree’ 
> build; however, we are having some issues I believe you can help with 
> straight away.  Some of the many real failures we’ve encountered are:
>
>   * Bricked system due to locking out all users
>
<Richard> You meant to say even `root` user is locked out is OpenBMC 
repo master or made more changes. By default user lock out is disabled, 
and still won't lock root user to avoid DOS attack.
>
>   * Ladap_result() failed:  Can’t contact LDAP server
>       o Believe we’ve fixed this one
>
<Richard> Hope this as LDAP configuration issue you faced, and not 
related to OpenBMC code as such.
>
>   * Logins are restricted to the group priv-admin of but user
>     ‘testuser’ is not a member
>
<Richard>: Is this failure due to SSH login. Because SSH won't make use 
of ldap privilege mapping. You may need to change 
https://github.com/openbmc/meta-phosphor/blob/master/recipes-core/dropbear/dropbear/dropbear.default 
if needs LDAP testing in SSH.

Have you tried bmcweb LDAP login ? Whether you are able to succeed in that ?

>   * Pam_authenticate() failed, rc=7, Authentication failure
>   * Bad PAM password attempt for ‘testuser’ from: <LDAP server IP>
>
> Some of these issues we’ve worked through; however, some are still 
> dogging us.  To that end, can someone possibly list\post a basic LDAP 
> server LDIF file with a single user, privilege role and group mapping 
> that you’ve successfully used with OpenBMC?  We assume we are stuck on 
> some trivial LDAP server topology anomaly that is completely escaping 
> us at the moment.
>
> As an fyi we have looked at:
>
>  1. Gone through everything obviously ‘ldap’ in the mailing lists:
>     https://lists.ozlabs.org/pipermail/openbmc/
>  2. Looked at OpenBMC learning series:
>     https://github.com/openbmc/openbmc/wiki/Presentations
>  3. Gone through the documents here:
>     https://github.com/openbmc/docs/blob/master/architecture/user-management.md
>  4. Looked at ldap tests and server:
>     https://github.com/openbmc/openbmc-test-automation
>  5. Spent more time tweaking Linux files and creating ldap server
>     configs that I care to admit 😊
>
> BIG thanks in advance!
>
> Best,
>
> Donnie
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20200910/37da5071/attachment.htm>


More information about the openbmc mailing list