OpenBMC LDAP server configuration assistance

Cockrell, Trevor Trevor.Cockrell at dell.com
Tue Sep 29 01:05:42 AEST 2020 

Internal Use - Confidential

Hey Ratan, Richard,

The issue that we ran into when using openLDAP was a small but key bit of configuration that I personally did not see on the web – the gidNumber property of a posix user/group.

The below documentation/notes (currently just for openLDAP) I have from my investigation would have helped us get to the root of our problem much quicker.
It might be beneficial to others to add this or something similar enough that clarifies the gidNumber requirements into the Phosphor User Manager README. If not, would there be a better place?
I could adjust/edit or I can leave it to you. 😊

Thanks!
Trevor Cockrell


User ‘John’ was created with the ldif below for an ldap server ‘example.com’:
dn: uid=John,dc=example,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: John
uid: John
uidNumber: 1024
gidNumber: 100
homeDirectory: /home/John
loginShell: /bin/bash
gecos: John
userPassword: {crypt}x
shadowLastChange: -1
shadowMax: -1
shadowWarning: -1

In order for John to access any WebUI or redfish implementation, he must then be organized into a posix group with gidNumber 1004. This is because OpenBMC performs a group check for redfish on any user attempting redfish or WebUI interaction methods. The posix group was created with the following ldif:
dn: cn=redfish,dc=example,dc=com
cn: redfish
objectClass: posixGroup
objectClass: top
gidNumber: 1004
memberUid: John

The name of the posix group does not matter – only the gidNumber which is set to 1004, locally ‘redfish’ on the OpenBMC. Field memberUid maps John into the redfish group, allowing him access to both the WebUI and redfish methods of interacting with OpenBMC.
If desired, John can also be placed in posix-group ‘priv-admin’ with gidNumber 1000, granting him SSH access to the system. Privilege mapping does not affect the ability of a user in group 1000 to access the OpenBMC via SSH.
With a user placed in a group, a privilege mapping must then be assigned. The above gidNumber 100 relates to group ‘users’ on the local OpenBMC machine. When the mapping is assigned, any users within the mapped gidNumber will have the privilege level that has been mapped to their group. For example, if Jane were to be assigned gidNumber 100 she would have the same privileges as John. The privilege mapping must have the same name as the group referenced by the gidNumber. In this case, the role mapping must be explicitly for ‘users’. If there is no mapping assigned, connection via redfish is refused while the WebUI allows login with no interaction.


From: Ratan Gupta <ratagupt at linux.vnet.ibm.com>
Sent: Monday, September 21, 2020 9:29 AM
To: Thomaiyar, Richard Marian; Gerhart, Donnie; openbmc at lists.ozlabs.org; gkeishin at in.ibm.com
Cc: Mugunda, Chandra; Giles, Joshua; Cockrell, Trevor
Subject: Re: OpenBMC LDAP server configuration assistance


[EXTERNAL EMAIL]

Hi Donnie,

We didn't create the cheatsheet for ldap server configuration, we thought the enough documentation is there on the net to configure the ldap server.

But it is good to have this documentation, Are you doing it for openLDAP or the Active Directory also?

I thought George & team was having this when I was working with him.

Ratan
On 9/21/20 10:01 AM, Thomaiyar, Richard Marian wrote:
Hi Donnie, Yes, Please go ahead and create Cheatsheet for LDAP configuration....
This Message Is From an External Sender
This message came from outside your organization.

Hi Donnie,

Yes, Please go ahead and create Cheatsheet for LDAP configuration.

Regards,

Richard
On 9/12/2020 12:44 AM, Gerhart, Donnie wrote:
Hey Richard/Folks,

Thanks for reaching out.  We really appreciate it.

Per usual, shortly after we hit send, we found a GID anomaly that once corrected everything OpenBMC LDAP connected up and logged in nicely.

To keep others from spinning in such an anomaly we’d be more than happy to post (ourselves or through you) a simple Ldap diff (LDIF) file containing a small working joe and jane LDAP server config.  The two places we thought such an example might valuable are phosphor user manager arch documentation and/or the LDAP test in openbmc-test-automation but we are happy to defer to your guidance regarding same.  Let us know your thoughts and we can post or provide the applicable file straight away.

Thanks again!

Best,
Donnie


From: Thomaiyar, Richard Marian <richard.marian.thomaiyar at linux.intel.com><mailto:richard.marian.thomaiyar at linux.intel.com>
Sent: Thursday, September 10, 2020 8:53 AM
To: Gerhart, Donnie; openbmc at lists.ozlabs.org<mailto:openbmc at lists.ozlabs.org>; ratagupt at linux.vnet.ibm.com<mailto:ratagupt at linux.vnet.ibm.com>; gkeishin at in.ibm.com<mailto:gkeishin at in.ibm.com>
Cc: Mugunda, Chandra; Giles, Joshua; Cockrell, Trevor
Subject: Re: OpenBMC LDAP server configuration assistance


[EXTERNAL EMAIL]
Hi Donnie,

Didn't tested it in latest tree, but you already cross verified this right --> https://github.com/openbmc/openbmc-test-automation/blob/master/redfish/account_service/test_ldap_configuration.robot

++ Ratan & George.

Regards,

Richard
On 9/9/2020 10:02 PM, Gerhart, Donnie wrote:
Hello OpenBMC Community\SMEs,

We are investigating LDAP functionality on the 2.8 ‘top of tree’ build; however, we are having some issues I believe you can help with straight away.  Some of the many real failures we’ve encountered are:

  *   Bricked system due to locking out all users
<Richard> You meant to say even `root` user is locked out is OpenBMC repo master or made more changes. By default user lock out is disabled, and still won't lock root user to avoid DOS attack.

  *   Ladap_result() failed:  Can’t contact LDAP server

     *   Believe we’ve fixed this one
<Richard> Hope this as LDAP configuration issue you faced, and not related to OpenBMC code as such.



  *   Logins are restricted to the group priv-admin of but user ‘testuser’ is not a member

<Richard>: Is this failure due to SSH login. Because SSH won't make use of ldap privilege mapping. You may need to change https://github.com/openbmc/meta-phosphor/blob/master/recipes-core/dropbear/dropbear/dropbear.default if needs LDAP testing in SSH.

Have you tried bmcweb LDAP login ? Whether you are able to succeed in that ?

  *   Pam_authenticate() failed, rc=7, Authentication failure
  *   Bad PAM password attempt for ‘testuser’ from: <LDAP server IP>

Some of these issues we’ve worked through; however, some are still dogging us.  To that end, can someone possibly list\post a basic LDAP server LDIF file with a single user, privilege role and group mapping that you’ve successfully used with OpenBMC?  We assume we are stuck on some trivial LDAP server topology anomaly that is completely escaping us at the moment.

As an fyi we have looked at:

  1.  Gone through everything obviously ‘ldap’ in the mailing lists:  https://lists.ozlabs.org/pipermail/openbmc/
  2.  Looked at OpenBMC learning series:  https://github.com/openbmc/openbmc/wiki/Presentations
  3.  Gone through the documents here:  https://github.com/openbmc/docs/blob/master/architecture/user-management.md
  4.  Looked at ldap tests and server:  https://github.com/openbmc/openbmc-test-automation
  5.  Spent more time tweaking Linux files and creating ldap server configs that I care to admit 😊

BIG thanks in advance!

Best,
Donnie

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20200928/6cf9f480/attachment-0001.htm>

More information about the openbmc mailing list