LDAP group privilege mapping does not exist

LDAP group privilege mapping does not exist

[Venkata Chandrappa]

[-- Attachment #1: Type: text/plain, Size: 1117 bytes --]

Hi Everyone,

I'm looking for information regarding privilege mapping of LDAP users. I have a LDAP server running with a group set to "priv-admin" privileges and there is one user added to this group. After setting the LDAP data in BMC web, I've added a Role Group with the same name as the LDAP group name and assigned administrator privileges to it. The LDAP user is able to login to the BMC web and redfish, however the user cannot perform any actions that an administrator is allowed to perform, even viewing information in the overview page is disallowed.

Journal logs seem to indicate the mapping doesn't exist, so I'm wondering if the role groups added in BMC web have been setup correctly.
phosphor-user-manager[257]: LDAP group privilege mapping does not exist
One more thing to note is when I added the role group, there was a 404 response generated. However, on refreshing the page or navigating back to the page, the role group was added successfully.

I'm hoping this is a LDAP configuration issue and appreciate if someone could provide some direction on this. Thanks.

Best Regards,
Venka

[-- Attachment #2: Type: text/html, Size: 3367 bytes --]

Re: LDAP group privilege mapping does not exist

[Derick Montague]

> Journal logs seem to indicate the mapping doesn’t exist, so I’m wondering if
> the role groups added in BMC web have been setup correctly.  
   
I can't speak to that, but we had tested role groups when the view was created
and we were able to login and perform actions.  
   
> One more thing to note is when I added the role group, there was a 404 response
> generated. However, on refreshing the page or navigating back to the page, the role
> group was added successfully.  
   
That was fixed in https://gerrit.openbmc-project.xyz/c/openbmc/webui-vue/+/38618. It was
a UI issue, but the API request was successful as you noticed by refreshing the page.

RE: LDAP group privilege mapping does not exist

[Venkata Chandrappa]

[-- Attachment #1: Type: text/plain, Size: 1317 bytes --]

Thanks for the response. 

Could you help to share a basic LDAP server LDIF file with an user who is a member of a group with the privileges assigned, somethingthat you've already tested. I've also attached the LDIF file that I've used for my tests. I want to rule out LDAP configuration errors that I may be overlooking before I dwelve into the BMC side investigation. 

Best Regards,
Venka

-----Original Message-----
From: Derick Montague [mailto:Derick.Montague@ibm.com] 
Sent: Friday, December 4, 2020 6:55 AM
To: Venkata Chandrappa
Cc: openbmc@lists.ozlabs.org
Subject: Re: LDAP group privilege mapping does not exist

> Journal logs seem to indicate the mapping doesn’t exist, so I’m wondering if
> the role groups added in BMC web have been setup correctly.  
   
I can't speak to that, but we had tested role groups when the view was created
and we were able to login and perform actions.  
   
> One more thing to note is when I added the role group, there was a 404 response
> generated. However, on refreshing the page or navigating back to the page, the role
> group was added successfully.  
   
That was fixed in https://gerrit.openbmc-project.xyz/c/openbmc/webui-vue/+/38618. It was
a UI issue, but the API request was successful as you noticed by refreshing the page.


[-- Attachment #2: ldap_data.ldif --]
[-- Type: application/octet-stream, Size: 0 bytes --]

Re: LDAP group privilege mapping does not exist

[Joseph Reynolds]

On 12/4/20 4:01 AM, Venkata Chandrappa wrote:
> Thanks for the response.
>
> Could you help to share a basic LDAP server LDIF file with an user who is a member of a group with the privileges assigned, somethingthat you've already tested. I've also attached the LDIF file that I've used for my tests. I want to rule out LDAP configuration errors that I may be overlooking before I dwelve into the BMC side investigation.

Good questions.  Thanks for asking and answering!

Have you seen the LDAP tests here?: 
https://github.com/openbmc/openbmc-test-automation/blob/master/redfish/account_service/test_ldap_configuration.robot

When we have a consensus answer, I would like to link to it or summarize 
it here: https://github.com/openbmc/openbmc/wiki/Configuration-guide

- Joseph

> Best Regards,
> Venka
>
> -----Original Message-----
> From: Derick Montague [mailto:Derick.Montague@ibm.com]
> Sent: Friday, December 4, 2020 6:55 AM
> To: Venkata Chandrappa
> Cc: openbmc@lists.ozlabs.org
> Subject: Re: LDAP group privilege mapping does not exist
>
>> Journal logs seem to indicate the mapping doesn’t exist, so I’m wondering if
>> the role groups added in BMC web have been setup correctly.
>     
> I can't speak to that, but we had tested role groups when the view was created
> and we were able to login and perform actions.
>     
>> One more thing to note is when I added the role group, there was a 404 response
>> generated. However, on refreshing the page or navigating back to the page, the role
>> group was added successfully.
>     
> That was fixed in https://gerrit.openbmc-project.xyz/c/openbmc/webui-vue/+/38618. It was
> a UI issue, but the API request was successful as you noticed by refreshing the page.
>