Hi Trevor, You can have doc under phosphor-user-manager for configuring the LDAP server. Ratan Gupta On 9/28/20 8:35 PM, Cockrell, Trevor wrote: > Internal Use - Confidential Hey Ratan, Richard, The issue that we ran > into when... > This Message Is From an External Sender > This message came from outside your organization. > > Internal Use - Confidential > > > Hey Ratan, Richard, > > The issue that we ran into when using openLDAP was a small but key bit > of configuration that I personally did not see on the web – the > gidNumber property of a posix user/group. > > The below documentation/notes (currently just for openLDAP) I have > from my investigation would have helped us get to the root of our > problem much quicker. > > It might be beneficial to others to add this or something similar > enough that clarifies the gidNumber requirements into the Phosphor > User Manager README. If not, would there be a better place? > > I could adjust/edit or I can leave it to you. 😊 > > Thanks! > > Trevor Cockrell > > User ‘John’ was created with the ldif below for an ldap server > ‘example.com’: > > dn: uid=John,dc=example,dc=com > objectClass: top > objectClass: account > objectClass: posixAccount > objectClass: shadowAccount > cn: John > uid: John > uidNumber: 1024 > *gidNumber*: 100 > homeDirectory: /home/John > loginShell: /bin/bash > gecos: John > userPassword: {crypt}x > shadowLastChange: -1 > shadowMax: -1 > shadowWarning: -1 > > In order for John to access any WebUI or redfish implementation, he > must then be organized into a posix group with gidNumber 1004. This is > because OpenBMC performs a group check for redfish on any user > attempting redfish or WebUI interaction methods. The posix group was > created with the following ldif: > > dn: cn=redfish,dc=example,dc=com > cn: redfish > objectClass: posixGroup > objectClass: top > *gidNumber*: 1004 > *memberUid*: John > > The name of the posix group does not matter – only the gidNumber which > is set to 1004, locally ‘redfish’ on the OpenBMC. Field memberUidmaps > John into the redfish group, allowing him access to both the WebUI and > redfish methods of interacting with OpenBMC. > > If desired, John can also be placed in posix-group ‘priv-admin’ with > gidNumber 1000, granting him SSH access to the system. Privilege > mapping does not affect the ability of a user in group 1000 to access > the OpenBMC via SSH. > > With a user placed in a group, a privilege mapping must then be > assigned. The above gidNumber 100 relates to group ‘users’ on the > local OpenBMC machine. When the mapping is assigned, any users within > the mapped gidNumber will have the privilege level that has been > mapped to their group. For example, if Jane were to be assigned > gidNumber 100 she would have the same privileges as John. The > privilege mapping must have the same name as the group referenced by > the gidNumber. In this case, the role mapping must be explicitly for > ‘users’. If there is no mapping assigned, connection via redfish is > refused while the WebUI allows login with no interaction. > > *From:* Ratan Gupta > *Sent:* Monday, September 21, 2020 9:29 AM > *To:* Thomaiyar, Richard Marian; Gerhart, Donnie; > openbmc@lists.ozlabs.org; gkeishin@in.ibm.com > *Cc:* Mugunda, Chandra; Giles, Joshua; Cockrell, Trevor > *Subject:* Re: OpenBMC LDAP server configuration assistance > > [EXTERNAL EMAIL] > > Hi Donnie, > > We didn't create the cheatsheet for ldap server configuration, we > thought the enough documentation is there on the net to configure the > ldap server. > > But it is good to have this documentation, Are you doing it for > openLDAP or the Active Directory also? > > I thought George & team was having this when I was working with him. > > Ratan > > On 9/21/20 10:01 AM, Thomaiyar, Richard Marian wrote: > > Hi Donnie, Yes, Please go ahead and create Cheatsheet for LDAP > configuration.... > > *This Message Is From an External Sender* > > This message came from outside your organization. > > Hi Donnie, > > Yes, Please go ahead and create Cheatsheet for LDAP configuration. > > Regards, > > Richard > > On 9/12/2020 12:44 AM, Gerhart, Donnie wrote: > > Hey Richard/Folks, > > Thanks for reaching out.  We really appreciate it. > > Per usual, shortly after we hit send, we found a GID anomaly > that once corrected everything OpenBMC LDAP connected up and > logged in nicely. > > To keep others from spinning in such an anomaly we’d be more > than happy to post (ourselves or through you) a simple Ldap > diff (LDIF) file containing a small working joe and jane LDAP > server config.  The two places we thought such an example > might valuable are phosphor user manager arch documentation > and/or the LDAP test in openbmc-test-automation but we are > happy to defer to your guidance regarding same.  Let us know > your thoughts and we can post or provide the applicable file > straight away. > > Thanks again! > > Best, > > Donnie > > *From:* Thomaiyar, Richard Marian > > > *Sent:* Thursday, September 10, 2020 8:53 AM > *To:* Gerhart, Donnie; openbmc@lists.ozlabs.org > ; ratagupt@linux.vnet.ibm.com > ; gkeishin@in.ibm.com > > *Cc:* Mugunda, Chandra; Giles, Joshua; Cockrell, Trevor > *Subject:* Re: OpenBMC LDAP server configuration assistance > > [EXTERNAL EMAIL] > > Hi Donnie, > > Didn't tested it in latest tree, but you already cross > verified this right --> > https://github.com/openbmc/openbmc-test-automation/blob/master/redfish/account_service/test_ldap_configuration.robot > > ++ Ratan & George. > > Regards, > > Richard > > On 9/9/2020 10:02 PM, Gerhart, Donnie wrote: > > Hello OpenBMC Community\SMEs, > > We are investigating LDAP functionality on the 2.8 ‘top of > tree’ build; however, we are having some issues I believe > you can help with straight away.  Some of the many real > failures we’ve encountered are: > > * Bricked system due to locking out all users > > You meant to say even `root` user is locked out is > OpenBMC repo master or made more changes. By default user lock > out is disabled, and still won't lock root user to avoid DOS > attack. > > * Ladap_result() failed:  Can’t contact LDAP server > > o Believe we’ve fixed this one > > Hope this as LDAP configuration issue you faced, and > not related to OpenBMC code as such. > > > * Logins are restricted to the group priv-admin of but > user ‘testuser’ is not a member > > : Is this failure due to SSH login. Because SSH won't > make use of ldap privilege mapping. You may need to change > https://github.com/openbmc/meta-phosphor/blob/master/recipes-core/dropbear/dropbear/dropbear.default > if needs LDAP testing in SSH. > > Have you tried bmcweb LDAP login ? Whether you are able to > succeed in that ? > > * Pam_authenticate() failed, rc=7, Authentication failure > * Bad PAM password attempt for ‘testuser’ from: server IP> > > Some of these issues we’ve worked through; however, some > are still dogging us.  To that end, can someone possibly > list\post a basic LDAP server LDIF file with a single > user, privilege role and group mapping that you’ve > successfully used with OpenBMC?  We assume we are stuck on > some trivial LDAP server topology anomaly that is > completely escaping us at the moment. > > As an fyi we have looked at: > > 1. Gone through everything obviously ‘ldap’ in the > mailing lists: https://lists.ozlabs.org/pipermail/openbmc/ > 2. Looked at OpenBMC learning series: > https://github.com/openbmc/openbmc/wiki/Presentations > 3. Gone through the documents here: > https://github.com/openbmc/docs/blob/master/architecture/user-management.md > 4. Looked at ldap tests and server: > https://github.com/openbmc/openbmc-test-automation > 5. Spent more time tweaking Linux files and creating ldap > server configs that I care to admit 😊 > > BIG thanks in advance! > > Best, > > Donnie >