RE: OpenBMC LDAP server configuration assistance

["Gerhart, Donnie" <Donnie.Gerhart@dell.com>]

[-- Attachment #1: Type: text/plain, Size: 3664 bytes --]

Hey Richard/Folks,

Thanks for reaching out.  We really appreciate it.

Per usual, shortly after we hit send, we found a GID anomaly that once corrected everything OpenBMC LDAP connected up and logged in nicely.

To keep others from spinning in such an anomaly we’d be more than happy to post (ourselves or through you) a simple Ldap diff (LDIF) file containing a small working joe and jane LDAP server config.  The two places we thought such an example might valuable are phosphor user manager arch documentation and/or the LDAP test in openbmc-test-automation but we are happy to defer to your guidance regarding same.  Let us know your thoughts and we can post or provide the applicable file straight away.

Thanks again!

Best,
Donnie


From: Thomaiyar, Richard Marian <richard.marian.thomaiyar@linux.intel.com>
Sent: Thursday, September 10, 2020 8:53 AM
To: Gerhart, Donnie; openbmc@lists.ozlabs.org; ratagupt@linux.vnet.ibm.com; gkeishin@in.ibm.com
Cc: Mugunda, Chandra; Giles, Joshua; Cockrell, Trevor
Subject: Re: OpenBMC LDAP server configuration assistance


[EXTERNAL EMAIL]
Hi Donnie,

Didn't tested it in latest tree, but you already cross verified this right --> https://github.com/openbmc/openbmc-test-automation/blob/master/redfish/account_service/test_ldap_configuration.robot

++ Ratan & George.

Regards,

Richard
On 9/9/2020 10:02 PM, Gerhart, Donnie wrote:
Hello OpenBMC Community\SMEs,

We are investigating LDAP functionality on the 2.8 ‘top of tree’ build; however, we are having some issues I believe you can help with straight away.  Some of the many real failures we’ve encountered are:

  *   Bricked system due to locking out all users
<Richard> You meant to say even `root` user is locked out is OpenBMC repo master or made more changes. By default user lock out is disabled, and still won't lock root user to avoid DOS attack.

  *   Ladap_result() failed:  Can’t contact LDAP server

     *   Believe we’ve fixed this one
<Richard> Hope this as LDAP configuration issue you faced, and not related to OpenBMC code as such.


  *   Logins are restricted to the group priv-admin of but user ‘testuser’ is not a member

<Richard>: Is this failure due to SSH login. Because SSH won't make use of ldap privilege mapping. You may need to change https://github.com/openbmc/meta-phosphor/blob/master/recipes-core/dropbear/dropbear/dropbear.default if needs LDAP testing in SSH.

Have you tried bmcweb LDAP login ? Whether you are able to succeed in that ?

  *   Pam_authenticate() failed, rc=7, Authentication failure
  *   Bad PAM password attempt for ‘testuser’ from: <LDAP server IP>

Some of these issues we’ve worked through; however, some are still dogging us.  To that end, can someone possibly list\post a basic LDAP server LDIF file with a single user, privilege role and group mapping that you’ve successfully used with OpenBMC?  We assume we are stuck on some trivial LDAP server topology anomaly that is completely escaping us at the moment.

As an fyi we have looked at:

  1.  Gone through everything obviously ‘ldap’ in the mailing lists:  https://lists.ozlabs.org/pipermail/openbmc/
  2.  Looked at OpenBMC learning series:  https://github.com/openbmc/openbmc/wiki/Presentations
  3.  Gone through the documents here:  https://github.com/openbmc/docs/blob/master/architecture/user-management.md
  4.  Looked at ldap tests and server:  https://github.com/openbmc/openbmc-test-automation
  5.  Spent more time tweaking Linux files and creating ldap server configs that I care to admit 😊

BIG thanks in advance!

Best,
Donnie


[-- Attachment #2: Type: text/html, Size: 21095 bytes --]