OpenBMC LDAP server configuration assistance

Mon Sep 21 14:31:55 AEST 2020

Hi Donnie,

Yes, Please go ahead and create Cheatsheet for LDAP configuration.

Regards,

Richard

On 9/12/2020 12:44 AM, Gerhart, Donnie wrote:
>
> Hey Richard/Folks,
>
> Thanks for reaching out.  We really appreciate it.
>
> Per usual, shortly after we hit send, we found a GID anomaly that once 
> corrected everything OpenBMC LDAP connected up and logged in nicely.
>
> To keep others from spinning in such an anomaly we’d be more than 
> happy to post (ourselves or through you) a simple Ldap diff (LDIF) 
> file containing a small working joe and jane LDAP server config.  The 
> two places we thought such an example might valuable are phosphor user 
> manager arch documentation and/or the LDAP test in 
> openbmc-test-automation but we are happy to defer to your guidance 
> regarding same. Let us know your thoughts and we can post or provide 
> the applicable file straight away.
>
> Thanks again!
>
> Best,
>
> Donnie
>
> *From:* Thomaiyar, Richard Marian 
> <richard.marian.thomaiyar at linux.intel.com>
> *Sent:* Thursday, September 10, 2020 8:53 AM
> *To:* Gerhart, Donnie; openbmc at lists.ozlabs.org; 
> ratagupt at linux.vnet.ibm.com; gkeishin at in.ibm.com
> *Cc:* Mugunda, Chandra; Giles, Joshua; Cockrell, Trevor
> *Subject:* Re: OpenBMC LDAP server configuration assistance
>
> [EXTERNAL EMAIL]
>
> Hi Donnie,
>
> Didn't tested it in latest tree, but you already cross verified this 
> right --> 
> https://github.com/openbmc/openbmc-test-automation/blob/master/redfish/account_service/test_ldap_configuration.robot
>
> ++ Ratan & George.
>
> Regards,
>
> Richard
>
> On 9/9/2020 10:02 PM, Gerhart, Donnie wrote:
>
>     Hello OpenBMC Community\SMEs,
>
>     We are investigating LDAP functionality on the 2.8 ‘top of tree’
>     build; however, we are having some issues I believe you can help
>     with straight away.  Some of the many real failures we’ve
>     encountered are:
>
>       * Bricked system due to locking out all users
>
> <Richard> You meant to say even `root` user is locked out is OpenBMC 
> repo master or made more changes. By default user lock out is 
> disabled, and still won't lock root user to avoid DOS attack.
>
>       * Ladap_result() failed:  Can’t contact LDAP server
>
>           o Believe we’ve fixed this one
>
> <Richard> Hope this as LDAP configuration issue you faced, and not 
> related to OpenBMC code as such.
>
>       * Logins are restricted to the group priv-admin of but user
>         ‘testuser’ is not a member
>
> <Richard>: Is this failure due to SSH login. Because SSH won't make 
> use of ldap privilege mapping. You may need to change 
> https://github.com/openbmc/meta-phosphor/blob/master/recipes-core/dropbear/dropbear/dropbear.default 
> if needs LDAP testing in SSH.
>
> Have you tried bmcweb LDAP login ? Whether you are able to succeed in 
> that ?
>
>       * Pam_authenticate() failed, rc=7, Authentication failure
>       * Bad PAM password attempt for ‘testuser’ from: <LDAP server IP>
>
>     Some of these issues we’ve worked through; however, some are still
>     dogging us.  To that end, can someone possibly list\post a basic
>     LDAP server LDIF file with a single user, privilege role and group
>     mapping that you’ve successfully used with OpenBMC?  We assume we
>     are stuck on some trivial LDAP server topology anomaly that is
>     completely escaping us at the moment.
>
>     As an fyi we have looked at:
>
>      1. Gone through everything obviously ‘ldap’ in the mailing lists:
>         https://lists.ozlabs.org/pipermail/openbmc/
>      2. Looked at OpenBMC learning series:
>         https://github.com/openbmc/openbmc/wiki/Presentations
>      3. Gone through the documents here:
>         https://github.com/openbmc/docs/blob/master/architecture/user-management.md
>      4. Looked at ldap tests and server:
>         https://github.com/openbmc/openbmc-test-automation
>      5. Spent more time tweaking Linux files and creating ldap server
>         configs that I care to admit 😊
>
>     BIG thanks in advance!
>
>     Best,
>
>     Donnie
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20200921/35e23a2c/attachment-0001.htm>