OpenBMC LDAP server configuration assistance
Ratan Gupta
ratagupt at linux.vnet.ibm.com
Tue Sep 29 17:13:12 AEST 2020
Hi Trevor,
You can have doc under phosphor-user-manager for configuring the LDAP
server.
Ratan Gupta
On 9/28/20 8:35 PM, Cockrell, Trevor wrote:
> Internal Use - Confidential Hey Ratan, Richard, The issue that we ran
> into when...
> This Message Is From an External Sender
> This message came from outside your organization.
>
> Internal Use - Confidential
>
>
> Hey Ratan, Richard,
>
> The issue that we ran into when using openLDAP was a small but key bit
> of configuration that I personally did not see on the web – the
> gidNumber property of a posix user/group.
>
> The below documentation/notes (currently just for openLDAP) I have
> from my investigation would have helped us get to the root of our
> problem much quicker.
>
> It might be beneficial to others to add this or something similar
> enough that clarifies the gidNumber requirements into the Phosphor
> User Manager README. If not, would there be a better place?
>
> I could adjust/edit or I can leave it to you. 😊
>
> Thanks!
>
> Trevor Cockrell
>
> User ‘John’ was created with the ldif below for an ldap server
> ‘example.com’:
>
> dn: uid=John,dc=example,dc=com
> objectClass: top
> objectClass: account
> objectClass: posixAccount
> objectClass: shadowAccount
> cn: John
> uid: John
> uidNumber: 1024
> *gidNumber*: 100
> homeDirectory: /home/John
> loginShell: /bin/bash
> gecos: John
> userPassword: {crypt}x
> shadowLastChange: -1
> shadowMax: -1
> shadowWarning: -1
>
> In order for John to access any WebUI or redfish implementation, he
> must then be organized into a posix group with gidNumber 1004. This is
> because OpenBMC performs a group check for redfish on any user
> attempting redfish or WebUI interaction methods. The posix group was
> created with the following ldif:
>
> dn: cn=redfish,dc=example,dc=com
> cn: redfish
> objectClass: posixGroup
> objectClass: top
> *gidNumber*: 1004
> *memberUid*: John
>
> The name of the posix group does not matter – only the gidNumber which
> is set to 1004, locally ‘redfish’ on the OpenBMC. Field memberUidmaps
> John into the redfish group, allowing him access to both the WebUI and
> redfish methods of interacting with OpenBMC.
>
> If desired, John can also be placed in posix-group ‘priv-admin’ with
> gidNumber 1000, granting him SSH access to the system. Privilege
> mapping does not affect the ability of a user in group 1000 to access
> the OpenBMC via SSH.
>
> With a user placed in a group, a privilege mapping must then be
> assigned. The above gidNumber 100 relates to group ‘users’ on the
> local OpenBMC machine. When the mapping is assigned, any users within
> the mapped gidNumber will have the privilege level that has been
> mapped to their group. For example, if Jane were to be assigned
> gidNumber 100 she would have the same privileges as John. The
> privilege mapping must have the same name as the group referenced by
> the gidNumber. In this case, the role mapping must be explicitly for
> ‘users’. If there is no mapping assigned, connection via redfish is
> refused while the WebUI allows login with no interaction.
>
> *From:* Ratan Gupta <ratagupt at linux.vnet.ibm.com>
> *Sent:* Monday, September 21, 2020 9:29 AM
> *To:* Thomaiyar, Richard Marian; Gerhart, Donnie;
> openbmc at lists.ozlabs.org; gkeishin at in.ibm.com
> *Cc:* Mugunda, Chandra; Giles, Joshua; Cockrell, Trevor
> *Subject:* Re: OpenBMC LDAP server configuration assistance
>
> [EXTERNAL EMAIL]
>
> Hi Donnie,
>
> We didn't create the cheatsheet for ldap server configuration, we
> thought the enough documentation is there on the net to configure the
> ldap server.
>
> But it is good to have this documentation, Are you doing it for
> openLDAP or the Active Directory also?
>
> I thought George & team was having this when I was working with him.
>
> Ratan
>
> On 9/21/20 10:01 AM, Thomaiyar, Richard Marian wrote:
>
> Hi Donnie, Yes, Please go ahead and create Cheatsheet for LDAP
> configuration....
>
> *This Message Is From an External Sender*
>
> This message came from outside your organization.
>
> Hi Donnie,
>
> Yes, Please go ahead and create Cheatsheet for LDAP configuration.
>
> Regards,
>
> Richard
>
> On 9/12/2020 12:44 AM, Gerhart, Donnie wrote:
>
> Hey Richard/Folks,
>
> Thanks for reaching out. We really appreciate it.
>
> Per usual, shortly after we hit send, we found a GID anomaly
> that once corrected everything OpenBMC LDAP connected up and
> logged in nicely.
>
> To keep others from spinning in such an anomaly we’d be more
> than happy to post (ourselves or through you) a simple Ldap
> diff (LDIF) file containing a small working joe and jane LDAP
> server config. The two places we thought such an example
> might valuable are phosphor user manager arch documentation
> and/or the LDAP test in openbmc-test-automation but we are
> happy to defer to your guidance regarding same. Let us know
> your thoughts and we can post or provide the applicable file
> straight away.
>
> Thanks again!
>
> Best,
>
> Donnie
>
> *From:* Thomaiyar, Richard Marian
> <richard.marian.thomaiyar at linux.intel.com>
> <mailto:richard.marian.thomaiyar at linux.intel.com>
> *Sent:* Thursday, September 10, 2020 8:53 AM
> *To:* Gerhart, Donnie; openbmc at lists.ozlabs.org
> <mailto:openbmc at lists.ozlabs.org>; ratagupt at linux.vnet.ibm.com
> <mailto:ratagupt at linux.vnet.ibm.com>; gkeishin at in.ibm.com
> <mailto:gkeishin at in.ibm.com>
> *Cc:* Mugunda, Chandra; Giles, Joshua; Cockrell, Trevor
> *Subject:* Re: OpenBMC LDAP server configuration assistance
>
> [EXTERNAL EMAIL]
>
> Hi Donnie,
>
> Didn't tested it in latest tree, but you already cross
> verified this right -->
> https://github.com/openbmc/openbmc-test-automation/blob/master/redfish/account_service/test_ldap_configuration.robot
>
> ++ Ratan & George.
>
> Regards,
>
> Richard
>
> On 9/9/2020 10:02 PM, Gerhart, Donnie wrote:
>
> Hello OpenBMC Community\SMEs,
>
> We are investigating LDAP functionality on the 2.8 ‘top of
> tree’ build; however, we are having some issues I believe
> you can help with straight away. Some of the many real
> failures we’ve encountered are:
>
> * Bricked system due to locking out all users
>
> <Richard> You meant to say even `root` user is locked out is
> OpenBMC repo master or made more changes. By default user lock
> out is disabled, and still won't lock root user to avoid DOS
> attack.
>
> * Ladap_result() failed: Can’t contact LDAP server
>
> o Believe we’ve fixed this one
>
> <Richard> Hope this as LDAP configuration issue you faced, and
> not related to OpenBMC code as such.
>
>
> * Logins are restricted to the group priv-admin of but
> user ‘testuser’ is not a member
>
> <Richard>: Is this failure due to SSH login. Because SSH won't
> make use of ldap privilege mapping. You may need to change
> https://github.com/openbmc/meta-phosphor/blob/master/recipes-core/dropbear/dropbear/dropbear.default
> if needs LDAP testing in SSH.
>
> Have you tried bmcweb LDAP login ? Whether you are able to
> succeed in that ?
>
> * Pam_authenticate() failed, rc=7, Authentication failure
> * Bad PAM password attempt for ‘testuser’ from: <LDAP
> server IP>
>
> Some of these issues we’ve worked through; however, some
> are still dogging us. To that end, can someone possibly
> list\post a basic LDAP server LDIF file with a single
> user, privilege role and group mapping that you’ve
> successfully used with OpenBMC? We assume we are stuck on
> some trivial LDAP server topology anomaly that is
> completely escaping us at the moment.
>
> As an fyi we have looked at:
>
> 1. Gone through everything obviously ‘ldap’ in the
> mailing lists: https://lists.ozlabs.org/pipermail/openbmc/
> 2. Looked at OpenBMC learning series:
> https://github.com/openbmc/openbmc/wiki/Presentations
> 3. Gone through the documents here:
> https://github.com/openbmc/docs/blob/master/architecture/user-management.md
> 4. Looked at ldap tests and server:
> https://github.com/openbmc/openbmc-test-automation
> 5. Spent more time tweaking Linux files and creating ldap
> server configs that I care to admit 😊
>
> BIG thanks in advance!
>
> Best,
>
> Donnie
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20200929/17dc613c/attachment-0001.htm>
More information about the openbmc
mailing list