LDAP groups and roles mapping
Alexander A. Filippov
a.filippov at yadro.com
Tue Jan 11 01:12:46 AEDT 2022
Our customers want LDAP groups and roles mapping working not only by primary
group, but also by the membership in one of these groups.
And this requirement seems to me reasonable.
As I can see in the code of phosphor-user-manager it can be easily solved by
searching the user name in the group members list that already received by the
`getgrnam` function. But I have doubts - wasn't this restriction done
intentionally?
And the second thing that seems to me wrong in current state:
Any LDAP user can log in into the WebUI even if he isn't in one of the mapped
groups. Yes, he receives a lot of messages about unauthorized access in this
case, but some functionality is still available to him.
For example: KVM and SOL (It's the websocket's restriction).
It seems to me the best solution is adding the roles mapping checking to the
PAM level and restrict the access for users with `no-access` role that is the
default role. But it will be look like a code duplicity because the such check
is still required in the BMCWeb.
Maybe I miss something?
--
Alexander
More information about the openbmc
mailing list