LDAP authentication is not working

LDAP authentication is not working

[Ratan Gupta]

Hi Richard,

This is regarding the commit 
https://github.com/openbmc/bmcweb/commit/cd17b26c893ba9dd1dcb0d56d725f2892c57e125.

where "user without having redfish group user is not authenticated to 
query the details, and login will fail"

As per the pam authentication for the ldap user it gets the user details 
through pam_ldap module
which internally uses standard linux api (getpwnam_r), to fetch the user 
details like(group id of the group
which the LDAP/Local user is tied to)

Now once user gets authenticated by the first pam auth module, second 
auth module(pam_succeed_if.so) gets eXecuted
in following order

https://github.com/linux-pam/linux-pam/blob/c6bef96651ee861baf099a36f0cb1fd4d36669ca/libpam/pam_modutil_ingroup.c#L81
https://github.com/rhuitl/uClinuX/blob/master/lib/libpam/modules/pam_succeed_if/pam_succeed_if.c#L186
https://github.com/linux-pam/linux-pam/blob/955b3e2f100205be2db4358e9c812de2ae453b8e/libpam/pam_modutil_getgrnam.c#L56

getgrnam_r("groupname") will fetch the groupID of the given group name 
in following order(as per the configuration)
=> Local
=> LDAP

We created the new LDAP group named "redfish" in the LDAP server and put 
the ldap user under the newly created "redfish" group
but that didn't help as same group is listed in both places(Local,LDAP)

As I explained above local database will get priortize over LDAP

Hence there would be failure. Now we have following option

Priortize LDAP over Local if LDAP is enabled but in that case the same 
problem will occur for the local user.

We have upstream tagging is planned for this week and with the commit 
below LDAP is broken

(https://github.com/openbmc/bmcweb/commit/cd17b26c893ba9dd1dcb0d56d725f2892c57e125.)

Should we revert it or do you have any plans?

Please let me know your thoughts.

Regards
Ratan Gupta

Re: LDAP authentication is not working

[Thomaiyar, Richard Marian]

Agree. As for LDAP user we defined privilege related mapping only and 
not group based authentication restriction. I think adding group based 
authentication for ldap users immediately, is not good option, as it 
must be done with agreement from everyone.

Quick solution is to skip the pam_succeed_if check if it is local user 
using pam_localuser module. i.e. using user_unknown condition to skip 
the pam_succeed_if, we can skip the group check for ldap users, and 
still continue for local users.

Note: I am OK, if you want to revert the fix immediately, i can roll out 
the fix this weekend after testing.

Regards,

Richard


On 5/19/2020 3:35 PM, Ratan Gupta wrote:
> in the LDAP server and put the ldap user under the newly created 
> "redfish" group
> but that didn't help as same group is listed in both places(Local,LDAP)
>
> As I explained above local database will get priortize over LDAP
>
> Hence there would be failure. Now we have following option
>
> Priortize LDAP over Local if LDAP is enabled but in that case the same 
> problem will occur for the local user.
>
> We have upstream tagging is planned for this week and with the commit 
> below LDAP is broken
>
> (https://github.com/openbmc/bmcweb/commit/cd17b26c893ba9dd1dcb0d56d725f2892c57e125.) 
>
>
> Should we revert it or do you have any plans?
>
> Please let me know your thoughts. 

Re: LDAP authentication is not working

[Thomaiyar, Richard Marian]

[-- Attachment #1: Type: text/plain, Size: 1731 bytes --]

Hi Ratan,

submitted a proper fix for the same

https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/32883 (depends 
https://gerrit.openbmc-project.xyz/c/openbmc/meta-phosphor/+/32901). 
Please verify the same and let me know your comments.

Regards,

Richard

On 5/19/2020 8:51 PM, Thomaiyar, Richard Marian wrote:
> Agree. As for LDAP user we defined privilege related mapping only and 
> not group based authentication restriction. I think adding group based 
> authentication for ldap users immediately, is not good option, as it 
> must be done with agreement from everyone.
>
> Quick solution is to skip the pam_succeed_if check if it is local user 
> using pam_localuser module. i.e. using user_unknown condition to skip 
> the pam_succeed_if, we can skip the group check for ldap users, and 
> still continue for local users.
>
> Note: I am OK, if you want to revert the fix immediately, i can roll 
> out the fix this weekend after testing.
>
> Regards,
>
> Richard
>
>
> On 5/19/2020 3:35 PM, Ratan Gupta wrote:
>> in the LDAP server and put the ldap user under the newly created 
>> "redfish" group
>> but that didn't help as same group is listed in both places(Local,LDAP)
>>
>> As I explained above local database will get priortize over LDAP
>>
>> Hence there would be failure. Now we have following option
>>
>> Priortize LDAP over Local if LDAP is enabled but in that case the 
>> same problem will occur for the local user.
>>
>> We have upstream tagging is planned for this week and with the commit 
>> below LDAP is broken
>>
>> (https://github.com/openbmc/bmcweb/commit/cd17b26c893ba9dd1dcb0d56d725f2892c57e125.) 
>>
>>
>> Should we revert it or do you have any plans?
>>
>> Please let me know your thoughts. 

[-- Attachment #2: Type: text/html, Size: 3747 bytes --]