Hi Donnie,

Didn't tested it in latest tree, but you already cross verified this right --> https://github.com/openbmc/openbmc-test-automation/blob/master/redfish/account_service/test_ldap_configuration.robot

++ Ratan & George.

Regards,

Richard

On 9/9/2020 10:02 PM, Gerhart, Donnie wrote:

Hello OpenBMC Community\SMEs,

We are investigating LDAP functionality on the 2.8 ‘top of tree’ build; however, we are having some issues I believe you can help with straight away. Some of the many real failures we’ve encountered are:

Bricked system due to locking out all users

<Richard> You meant to say even `root` user is locked out is OpenBMC repo master or made more changes. By default user lock out is disabled, and still won't lock root user to avoid DOS attack.

Ladap_result() failed: Can’t contact LDAP server

Believe we’ve fixed this one

<Richard> Hope this as LDAP configuration issue you faced, and not related to OpenBMC code as such.

Logins are restricted to the group priv-admin of but user ‘testuser’ is not a member

<Richard>: Is this failure due to SSH login. Because SSH won't make use of ldap privilege mapping. You may need to change https://github.com/openbmc/meta-phosphor/blob/master/recipes-core/dropbear/dropbear/dropbear.default if needs LDAP testing in SSH.

Have you tried bmcweb LDAP login ? Whether you are able to succeed in that ?

Pam_authenticate() failed, rc=7, Authentication failure

Bad PAM password attempt for ‘testuser’ from: <LDAP server IP>

Some of these issues we’ve worked through; however, some are still dogging us. To that end, can someone possibly list\post a basic LDAP server LDIF file with a single user, privilege role and group mapping that you’ve successfully used with OpenBMC? We assume we are stuck on some trivial LDAP server topology anomaly that is completely escaping us at the moment.

As an fyi we have looked at:

Gone through everything obviously ‘ldap’ in the mailing lists: https://lists.ozlabs.org/pipermail/openbmc/

Looked at OpenBMC learning series: https://github.com/openbmc/openbmc/wiki/Presentations

Gone through the documents here: https://github.com/openbmc/docs/blob/master/architecture/user-management.md

Looked at ldap tests and server: https://github.com/openbmc/openbmc-test-automation

Spent more time tweaking Linux files and creating ldap server configs that I care to admit 😊

BIG thanks in advance!

Best,

Donnie