LDAP groups and roles mapping

LDAP groups and roles mapping

[Alexander A. Filippov]

Our customers want LDAP groups and roles mapping working not only by primary
group, but also by the membership in one of these groups.
And this requirement seems to me reasonable.

As I can see in the code of phosphor-user-manager it can be easily solved by
searching the user name in the group members list that already received by the
`getgrnam` function. But I have doubts - wasn't this restriction done
intentionally?

And the second thing that seems to me wrong in current state:
Any LDAP user can log in into the WebUI even if he isn't in one of the mapped
groups. Yes, he receives a lot of messages about unauthorized access in this
case, but some functionality is still available to him.
For example: KVM and SOL (It's the websocket's restriction).

It seems to me the best solution is adding the roles mapping checking to the
PAM level and restrict the access for users with `no-access` role that is the
default role. But it will be look like a code duplicity because the such check
is still required in the BMCWeb.

Maybe I miss something?

--
Alexander

Re: LDAP groups and roles mapping

[Paul Fertser]

Hi,

On Mon, Jan 10, 2022 at 05:12:46PM +0300, Alexander A. Filippov wrote:
> Our customers want LDAP groups and roles mapping working not only by primary
> group, but also by the membership in one of these groups.
> And this requirement seems to me reasonable.

A sidenote: windows active directory admins might also want you to
take nested groups into consideration. I suggest you check with the
customers if that's the case or not.

AFAIK there's no standard way to do that (other than recursively walk
through the group membership) but microsoft has
LDAP_MATCHING_RULE_IN_CHAIN OID:
https://docs.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax

-- 
Be free, use free (http://www.gnu.org/philosophy/free-sw.html) software!
mailto:fercerpav@gmail.com

Re: LDAP groups and roles mapping

[Alexander A. Filippov]

On Mon, Jan 10, 2022 at 05:40:02PM +0300, Paul Fertser wrote:
> Hi,
> 
> On Mon, Jan 10, 2022 at 05:12:46PM +0300, Alexander A. Filippov wrote:
> > Our customers want LDAP groups and roles mapping working not only by primary
> > group, but also by the membership in one of these groups.
> > And this requirement seems to me reasonable.
> 
> A sidenote: windows active directory admins might also want you to
> take nested groups into consideration. I suggest you check with the
> customers if that's the case or not.
> 

Yes, it looks like a problem.
I'm afraid that the recursive queries will execute too long and PAM will give
rejection by timeout.

But `phosphor-user-manager` allows to create mappings of several LDAP groups
into one role and thus, I suppose, we can claim that we don't support the nested
groups.


> AFAIK there's no standard way to do that (other than recursively walk
> through the group membership) but microsoft has
> LDAP_MATCHING_RULE_IN_CHAIN OID:
> https://docs.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax
> 
> -- 
> Be free, use free (http://www.gnu.org/philosophy/free-sw.html) software!
> mailto:fercerpav@gmail.com

--
Alexander

Re: LDAP groups and roles mapping

[Paul Fertser]

On Mon, Jan 10, 2022 at 06:56:32PM +0300, Alexander A. Filippov wrote:
> On Mon, Jan 10, 2022 at 05:40:02PM +0300, Paul Fertser wrote:
> > On Mon, Jan 10, 2022 at 05:12:46PM +0300, Alexander A. Filippov wrote:
> > > Our customers want LDAP groups and roles mapping working not only by primary
> > > group, but also by the membership in one of these groups.
> > > And this requirement seems to me reasonable.
> > 
> > A sidenote: windows active directory admins might also want you to
> > take nested groups into consideration. I suggest you check with the
> > customers if that's the case or not.
> > 
> 
> Yes, it looks like a problem.
> I'm afraid that the recursive queries will execute too long and PAM will give
> rejection by timeout.

But phosphor-ldap-config already special-cases
ConfigIface::Type::ActiveDirectory so instead of

        confData << "filter passwd (&(objectClass=user)(objectClass=person)"
                    "(!(objectClass=computer)))\n";

it can use something like

filter passwd (&(Objectclass=user)(!(objectClass=computer))(memberOf:1.2.840.113556.1.4.1941:=cn=cumuluslnxadm,ou=groups,ou=support,dc=rtp,dc=example,dc=test))

(phosphor-ldap-config generates /etc/nslcd.conf; this particular
example is from Cumulus Linux, instead of
cn=cumuluslnxadm,ou=groups,ou=support,dc=rtp,dc=example,dc=test full
DN of any group can be specified)

> But `phosphor-user-manager` allows to create mappings of several LDAP groups
> into one role and thus, I suppose, we can claim that we don't support the nested
> groups.

Please consider supporting nested groups at least for AD, this seems
to be easy enough.

-- 
Be free, use free (http://www.gnu.org/philosophy/free-sw.html) software!
mailto:fercerpav@gmail.com

Re: LDAP groups and roles mapping

[Alexander A. Filippov]

On Mon, Jan 10, 2022 at 05:12:46PM +0300, Alexander A. Filippov wrote:
> Our customers want LDAP groups and roles mapping working not only by primary
> group, but also by the membership in one of these groups.
> And this requirement seems to me reasonable.
> 
> As I can see in the code of phosphor-user-manager it can be easily solved by
> searching the user name in the group members list that already received by the
> `getgrnam` function. But I have doubts - wasn't this restriction done
> intentionally?
> 

I've pushed the fix for phosphor-user-manager that fixes the role determination
using the groups membership.

  https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-user-manager/+/51114

--
Alexander