* LDAP authentication is not working
@ 2020-05-19 10:05 Ratan Gupta
2020-05-19 15:21 ` Thomaiyar, Richard Marian
0 siblings, 1 reply; 3+ messages in thread
From: Ratan Gupta @ 2020-05-19 10:05 UTC (permalink / raw)
To: openbmc, richard.marian.thomaiyar
Hi Richard,
This is regarding the commit
https://github.com/openbmc/bmcweb/commit/cd17b26c893ba9dd1dcb0d56d725f2892c57e125.
where "user without having redfish group user is not authenticated to
query the details, and login will fail"
As per the pam authentication for the ldap user it gets the user details
through pam_ldap module
which internally uses standard linux api (getpwnam_r), to fetch the user
details like(group id of the group
which the LDAP/Local user is tied to)
Now once user gets authenticated by the first pam auth module, second
auth module(pam_succeed_if.so) gets eXecuted
in following order
https://github.com/linux-pam/linux-pam/blob/c6bef96651ee861baf099a36f0cb1fd4d36669ca/libpam/pam_modutil_ingroup.c#L81
https://github.com/rhuitl/uClinuX/blob/master/lib/libpam/modules/pam_succeed_if/pam_succeed_if.c#L186
https://github.com/linux-pam/linux-pam/blob/955b3e2f100205be2db4358e9c812de2ae453b8e/libpam/pam_modutil_getgrnam.c#L56
getgrnam_r("groupname") will fetch the groupID of the given group name
in following order(as per the configuration)
=> Local
=> LDAP
We created the new LDAP group named "redfish" in the LDAP server and put
the ldap user under the newly created "redfish" group
but that didn't help as same group is listed in both places(Local,LDAP)
As I explained above local database will get priortize over LDAP
Hence there would be failure. Now we have following option
Priortize LDAP over Local if LDAP is enabled but in that case the same
problem will occur for the local user.
We have upstream tagging is planned for this week and with the commit
below LDAP is broken
(https://github.com/openbmc/bmcweb/commit/cd17b26c893ba9dd1dcb0d56d725f2892c57e125.)
Should we revert it or do you have any plans?
Please let me know your thoughts.
Regards
Ratan Gupta
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: LDAP authentication is not working
2020-05-19 10:05 LDAP authentication is not working Ratan Gupta
@ 2020-05-19 15:21 ` Thomaiyar, Richard Marian
2020-05-28 7:01 ` Thomaiyar, Richard Marian
0 siblings, 1 reply; 3+ messages in thread
From: Thomaiyar, Richard Marian @ 2020-05-19 15:21 UTC (permalink / raw)
To: Ratan Gupta, openbmc
Agree. As for LDAP user we defined privilege related mapping only and
not group based authentication restriction. I think adding group based
authentication for ldap users immediately, is not good option, as it
must be done with agreement from everyone.
Quick solution is to skip the pam_succeed_if check if it is local user
using pam_localuser module. i.e. using user_unknown condition to skip
the pam_succeed_if, we can skip the group check for ldap users, and
still continue for local users.
Note: I am OK, if you want to revert the fix immediately, i can roll out
the fix this weekend after testing.
Regards,
Richard
On 5/19/2020 3:35 PM, Ratan Gupta wrote:
> in the LDAP server and put the ldap user under the newly created
> "redfish" group
> but that didn't help as same group is listed in both places(Local,LDAP)
>
> As I explained above local database will get priortize over LDAP
>
> Hence there would be failure. Now we have following option
>
> Priortize LDAP over Local if LDAP is enabled but in that case the same
> problem will occur for the local user.
>
> We have upstream tagging is planned for this week and with the commit
> below LDAP is broken
>
> (https://github.com/openbmc/bmcweb/commit/cd17b26c893ba9dd1dcb0d56d725f2892c57e125.)
>
>
> Should we revert it or do you have any plans?
>
> Please let me know your thoughts.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: LDAP authentication is not working
2020-05-19 15:21 ` Thomaiyar, Richard Marian
@ 2020-05-28 7:01 ` Thomaiyar, Richard Marian
0 siblings, 0 replies; 3+ messages in thread
From: Thomaiyar, Richard Marian @ 2020-05-28 7:01 UTC (permalink / raw)
To: Ratan Gupta, openbmc
[-- Attachment #1: Type: text/plain, Size: 1731 bytes --]
Hi Ratan,
submitted a proper fix for the same
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/32883 (depends
https://gerrit.openbmc-project.xyz/c/openbmc/meta-phosphor/+/32901).
Please verify the same and let me know your comments.
Regards,
Richard
On 5/19/2020 8:51 PM, Thomaiyar, Richard Marian wrote:
> Agree. As for LDAP user we defined privilege related mapping only and
> not group based authentication restriction. I think adding group based
> authentication for ldap users immediately, is not good option, as it
> must be done with agreement from everyone.
>
> Quick solution is to skip the pam_succeed_if check if it is local user
> using pam_localuser module. i.e. using user_unknown condition to skip
> the pam_succeed_if, we can skip the group check for ldap users, and
> still continue for local users.
>
> Note: I am OK, if you want to revert the fix immediately, i can roll
> out the fix this weekend after testing.
>
> Regards,
>
> Richard
>
>
> On 5/19/2020 3:35 PM, Ratan Gupta wrote:
>> in the LDAP server and put the ldap user under the newly created
>> "redfish" group
>> but that didn't help as same group is listed in both places(Local,LDAP)
>>
>> As I explained above local database will get priortize over LDAP
>>
>> Hence there would be failure. Now we have following option
>>
>> Priortize LDAP over Local if LDAP is enabled but in that case the
>> same problem will occur for the local user.
>>
>> We have upstream tagging is planned for this week and with the commit
>> below LDAP is broken
>>
>> (https://github.com/openbmc/bmcweb/commit/cd17b26c893ba9dd1dcb0d56d725f2892c57e125.)
>>
>>
>> Should we revert it or do you have any plans?
>>
>> Please let me know your thoughts.
[-- Attachment #2: Type: text/html, Size: 3747 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-05-28 7:01 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-19 10:05 LDAP authentication is not working Ratan Gupta
2020-05-19 15:21 ` Thomaiyar, Richard Marian
2020-05-28 7:01 ` Thomaiyar, Richard Marian
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.