* LDAP groups and roles mapping @ 2022-01-10 14:12 Alexander A. Filippov 2022-01-10 14:40 ` Paul Fertser 2022-02-10 10:24 ` Alexander A. Filippov 0 siblings, 2 replies; 5+ messages in thread From: Alexander A. Filippov @ 2022-01-10 14:12 UTC (permalink / raw) To: openbmc Our customers want LDAP groups and roles mapping working not only by primary group, but also by the membership in one of these groups. And this requirement seems to me reasonable. As I can see in the code of phosphor-user-manager it can be easily solved by searching the user name in the group members list that already received by the `getgrnam` function. But I have doubts - wasn't this restriction done intentionally? And the second thing that seems to me wrong in current state: Any LDAP user can log in into the WebUI even if he isn't in one of the mapped groups. Yes, he receives a lot of messages about unauthorized access in this case, but some functionality is still available to him. For example: KVM and SOL (It's the websocket's restriction). It seems to me the best solution is adding the roles mapping checking to the PAM level and restrict the access for users with `no-access` role that is the default role. But it will be look like a code duplicity because the such check is still required in the BMCWeb. Maybe I miss something? -- Alexander ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: LDAP groups and roles mapping 2022-01-10 14:12 LDAP groups and roles mapping Alexander A. Filippov @ 2022-01-10 14:40 ` Paul Fertser 2022-01-10 15:56 ` Alexander A. Filippov 2022-02-10 10:24 ` Alexander A. Filippov 1 sibling, 1 reply; 5+ messages in thread From: Paul Fertser @ 2022-01-10 14:40 UTC (permalink / raw) To: Alexander A. Filippov; +Cc: openbmc Hi, On Mon, Jan 10, 2022 at 05:12:46PM +0300, Alexander A. Filippov wrote: > Our customers want LDAP groups and roles mapping working not only by primary > group, but also by the membership in one of these groups. > And this requirement seems to me reasonable. A sidenote: windows active directory admins might also want you to take nested groups into consideration. I suggest you check with the customers if that's the case or not. AFAIK there's no standard way to do that (other than recursively walk through the group membership) but microsoft has LDAP_MATCHING_RULE_IN_CHAIN OID: https://docs.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax -- Be free, use free (http://www.gnu.org/philosophy/free-sw.html) software! mailto:fercerpav@gmail.com ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: LDAP groups and roles mapping 2022-01-10 14:40 ` Paul Fertser @ 2022-01-10 15:56 ` Alexander A. Filippov 2022-01-10 21:00 ` Paul Fertser 0 siblings, 1 reply; 5+ messages in thread From: Alexander A. Filippov @ 2022-01-10 15:56 UTC (permalink / raw) To: Paul Fertser; +Cc: openbmc On Mon, Jan 10, 2022 at 05:40:02PM +0300, Paul Fertser wrote: > Hi, > > On Mon, Jan 10, 2022 at 05:12:46PM +0300, Alexander A. Filippov wrote: > > Our customers want LDAP groups and roles mapping working not only by primary > > group, but also by the membership in one of these groups. > > And this requirement seems to me reasonable. > > A sidenote: windows active directory admins might also want you to > take nested groups into consideration. I suggest you check with the > customers if that's the case or not. > Yes, it looks like a problem. I'm afraid that the recursive queries will execute too long and PAM will give rejection by timeout. But `phosphor-user-manager` allows to create mappings of several LDAP groups into one role and thus, I suppose, we can claim that we don't support the nested groups. > AFAIK there's no standard way to do that (other than recursively walk > through the group membership) but microsoft has > LDAP_MATCHING_RULE_IN_CHAIN OID: > https://docs.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax > > -- > Be free, use free (http://www.gnu.org/philosophy/free-sw.html) software! > mailto:fercerpav@gmail.com -- Alexander ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: LDAP groups and roles mapping 2022-01-10 15:56 ` Alexander A. Filippov @ 2022-01-10 21:00 ` Paul Fertser 0 siblings, 0 replies; 5+ messages in thread From: Paul Fertser @ 2022-01-10 21:00 UTC (permalink / raw) To: Alexander A. Filippov; +Cc: openbmc On Mon, Jan 10, 2022 at 06:56:32PM +0300, Alexander A. Filippov wrote: > On Mon, Jan 10, 2022 at 05:40:02PM +0300, Paul Fertser wrote: > > On Mon, Jan 10, 2022 at 05:12:46PM +0300, Alexander A. Filippov wrote: > > > Our customers want LDAP groups and roles mapping working not only by primary > > > group, but also by the membership in one of these groups. > > > And this requirement seems to me reasonable. > > > > A sidenote: windows active directory admins might also want you to > > take nested groups into consideration. I suggest you check with the > > customers if that's the case or not. > > > > Yes, it looks like a problem. > I'm afraid that the recursive queries will execute too long and PAM will give > rejection by timeout. But phosphor-ldap-config already special-cases ConfigIface::Type::ActiveDirectory so instead of confData << "filter passwd (&(objectClass=user)(objectClass=person)" "(!(objectClass=computer)))\n"; it can use something like filter passwd (&(Objectclass=user)(!(objectClass=computer))(memberOf:1.2.840.113556.1.4.1941:=cn=cumuluslnxadm,ou=groups,ou=support,dc=rtp,dc=example,dc=test)) (phosphor-ldap-config generates /etc/nslcd.conf; this particular example is from Cumulus Linux, instead of cn=cumuluslnxadm,ou=groups,ou=support,dc=rtp,dc=example,dc=test full DN of any group can be specified) > But `phosphor-user-manager` allows to create mappings of several LDAP groups > into one role and thus, I suppose, we can claim that we don't support the nested > groups. Please consider supporting nested groups at least for AD, this seems to be easy enough. -- Be free, use free (http://www.gnu.org/philosophy/free-sw.html) software! mailto:fercerpav@gmail.com ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: LDAP groups and roles mapping 2022-01-10 14:12 LDAP groups and roles mapping Alexander A. Filippov 2022-01-10 14:40 ` Paul Fertser @ 2022-02-10 10:24 ` Alexander A. Filippov 1 sibling, 0 replies; 5+ messages in thread From: Alexander A. Filippov @ 2022-02-10 10:24 UTC (permalink / raw) To: openbmc On Mon, Jan 10, 2022 at 05:12:46PM +0300, Alexander A. Filippov wrote: > Our customers want LDAP groups and roles mapping working not only by primary > group, but also by the membership in one of these groups. > And this requirement seems to me reasonable. > > As I can see in the code of phosphor-user-manager it can be easily solved by > searching the user name in the group members list that already received by the > `getgrnam` function. But I have doubts - wasn't this restriction done > intentionally? > I've pushed the fix for phosphor-user-manager that fixes the role determination using the groups membership. https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-user-manager/+/51114 -- Alexander ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-02-10 10:24 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2022-01-10 14:12 LDAP groups and roles mapping Alexander A. Filippov 2022-01-10 14:40 ` Paul Fertser 2022-01-10 15:56 ` Alexander A. Filippov 2022-01-10 21:00 ` Paul Fertser 2022-02-10 10:24 ` Alexander A. Filippov
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.