OpenBMC LDAP server configuration assistance

OpenBMC LDAP server configuration assistance

[Gerhart, Donnie]

[-- Attachment #1: Type: text/plain, Size: 1611 bytes --]

Hello OpenBMC Community\SMEs,

We are investigating LDAP functionality on the 2.8 ‘top of tree’ build; however, we are having some issues I believe you can help with straight away.  Some of the many real failures we’ve encountered are:

  *   Bricked system due to locking out all users
  *   Ladap_result() failed:  Can’t contact LDAP server
     *   Believe we’ve fixed this one
  *   Logins are restricted to the group priv-admin of but user ‘testuser’ is not a member
  *   Pam_authenticate() failed, rc=7, Authentication failure
  *   Bad PAM password attempt for ‘testuser’ from: <LDAP server IP>

Some of these issues we’ve worked through; however, some are still dogging us.  To that end, can someone possibly list\post a basic LDAP server LDIF file with a single user, privilege role and group mapping that you’ve successfully used with OpenBMC?  We assume we are stuck on some trivial LDAP server topology anomaly that is completely escaping us at the moment.

As an fyi we have looked at:

  1.  Gone through everything obviously ‘ldap’ in the mailing lists:  https://lists.ozlabs.org/pipermail/openbmc/
  2.  Looked at OpenBMC learning series:  https://github.com/openbmc/openbmc/wiki/Presentations
  3.  Gone through the documents here:  https://github.com/openbmc/docs/blob/master/architecture/user-management.md
  4.  Looked at ldap tests and server:  https://github.com/openbmc/openbmc-test-automation
  5.  Spent more time tweaking Linux files and creating ldap server configs that I care to admit 😊

BIG thanks in advance!

Best,
Donnie


[-- Attachment #2: Type: text/html, Size: 8852 bytes --]

Re: OpenBMC LDAP server configuration assistance

[Thomaiyar, Richard Marian]

[-- Attachment #1: Type: text/plain, Size: 2605 bytes --]

Hi Donnie,

Didn't tested it in latest tree, but you already cross verified this 
right --> 
https://github.com/openbmc/openbmc-test-automation/blob/master/redfish/account_service/test_ldap_configuration.robot

++ Ratan & George.

Regards,

Richard

On 9/9/2020 10:02 PM, Gerhart, Donnie wrote:
>
> Hello OpenBMC Community\SMEs,
>
> We are investigating LDAP functionality on the 2.8 ‘top of tree’ 
> build; however, we are having some issues I believe you can help with 
> straight away.  Some of the many real failures we’ve encountered are:
>
>   * Bricked system due to locking out all users
>
<Richard> You meant to say even `root` user is locked out is OpenBMC 
repo master or made more changes. By default user lock out is disabled, 
and still won't lock root user to avoid DOS attack.
>
>   * Ladap_result() failed:  Can’t contact LDAP server
>       o Believe we’ve fixed this one
>
<Richard> Hope this as LDAP configuration issue you faced, and not 
related to OpenBMC code as such.
>
>   * Logins are restricted to the group priv-admin of but user
>     ‘testuser’ is not a member
>
<Richard>: Is this failure due to SSH login. Because SSH won't make use 
of ldap privilege mapping. You may need to change 
https://github.com/openbmc/meta-phosphor/blob/master/recipes-core/dropbear/dropbear/dropbear.default 
if needs LDAP testing in SSH.

Have you tried bmcweb LDAP login ? Whether you are able to succeed in that ?

>   * Pam_authenticate() failed, rc=7, Authentication failure
>   * Bad PAM password attempt for ‘testuser’ from: <LDAP server IP>
>
> Some of these issues we’ve worked through; however, some are still 
> dogging us.  To that end, can someone possibly list\post a basic LDAP 
> server LDIF file with a single user, privilege role and group mapping 
> that you’ve successfully used with OpenBMC?  We assume we are stuck on 
> some trivial LDAP server topology anomaly that is completely escaping 
> us at the moment.
>
> As an fyi we have looked at:
>
>  1. Gone through everything obviously ‘ldap’ in the mailing lists:
>     https://lists.ozlabs.org/pipermail/openbmc/
>  2. Looked at OpenBMC learning series:
>     https://github.com/openbmc/openbmc/wiki/Presentations
>  3. Gone through the documents here:
>     https://github.com/openbmc/docs/blob/master/architecture/user-management.md
>  4. Looked at ldap tests and server:
>     https://github.com/openbmc/openbmc-test-automation
>  5. Spent more time tweaking Linux files and creating ldap server
>     configs that I care to admit 😊
>
> BIG thanks in advance!
>
> Best,
>
> Donnie
>

[-- Attachment #2: Type: text/html, Size: 11591 bytes --]

RE: OpenBMC LDAP server configuration assistance

[Gerhart, Donnie]

[-- Attachment #1: Type: text/plain, Size: 3664 bytes --]

Hey Richard/Folks,

Thanks for reaching out.  We really appreciate it.

Per usual, shortly after we hit send, we found a GID anomaly that once corrected everything OpenBMC LDAP connected up and logged in nicely.

To keep others from spinning in such an anomaly we’d be more than happy to post (ourselves or through you) a simple Ldap diff (LDIF) file containing a small working joe and jane LDAP server config.  The two places we thought such an example might valuable are phosphor user manager arch documentation and/or the LDAP test in openbmc-test-automation but we are happy to defer to your guidance regarding same.  Let us know your thoughts and we can post or provide the applicable file straight away.

Thanks again!

Best,
Donnie


From: Thomaiyar, Richard Marian <richard.marian.thomaiyar@linux.intel.com>
Sent: Thursday, September 10, 2020 8:53 AM
To: Gerhart, Donnie; openbmc@lists.ozlabs.org; ratagupt@linux.vnet.ibm.com; gkeishin@in.ibm.com
Cc: Mugunda, Chandra; Giles, Joshua; Cockrell, Trevor
Subject: Re: OpenBMC LDAP server configuration assistance


[EXTERNAL EMAIL]
Hi Donnie,

Didn't tested it in latest tree, but you already cross verified this right --> https://github.com/openbmc/openbmc-test-automation/blob/master/redfish/account_service/test_ldap_configuration.robot

++ Ratan & George.

Regards,

Richard
On 9/9/2020 10:02 PM, Gerhart, Donnie wrote:
Hello OpenBMC Community\SMEs,

We are investigating LDAP functionality on the 2.8 ‘top of tree’ build; however, we are having some issues I believe you can help with straight away.  Some of the many real failures we’ve encountered are:

  *   Bricked system due to locking out all users
<Richard> You meant to say even `root` user is locked out is OpenBMC repo master or made more changes. By default user lock out is disabled, and still won't lock root user to avoid DOS attack.

  *   Ladap_result() failed:  Can’t contact LDAP server

     *   Believe we’ve fixed this one
<Richard> Hope this as LDAP configuration issue you faced, and not related to OpenBMC code as such.


  *   Logins are restricted to the group priv-admin of but user ‘testuser’ is not a member

<Richard>: Is this failure due to SSH login. Because SSH won't make use of ldap privilege mapping. You may need to change https://github.com/openbmc/meta-phosphor/blob/master/recipes-core/dropbear/dropbear/dropbear.default if needs LDAP testing in SSH.

Have you tried bmcweb LDAP login ? Whether you are able to succeed in that ?

  *   Pam_authenticate() failed, rc=7, Authentication failure
  *   Bad PAM password attempt for ‘testuser’ from: <LDAP server IP>

Some of these issues we’ve worked through; however, some are still dogging us.  To that end, can someone possibly list\post a basic LDAP server LDIF file with a single user, privilege role and group mapping that you’ve successfully used with OpenBMC?  We assume we are stuck on some trivial LDAP server topology anomaly that is completely escaping us at the moment.

As an fyi we have looked at:

  1.  Gone through everything obviously ‘ldap’ in the mailing lists:  https://lists.ozlabs.org/pipermail/openbmc/
  2.  Looked at OpenBMC learning series:  https://github.com/openbmc/openbmc/wiki/Presentations
  3.  Gone through the documents here:  https://github.com/openbmc/docs/blob/master/architecture/user-management.md
  4.  Looked at ldap tests and server:  https://github.com/openbmc/openbmc-test-automation
  5.  Spent more time tweaking Linux files and creating ldap server configs that I care to admit 😊

BIG thanks in advance!

Best,
Donnie


[-- Attachment #2: Type: text/html, Size: 21095 bytes --]

Re: OpenBMC LDAP server configuration assistance

[Thomaiyar, Richard Marian]

[-- Attachment #1: Type: text/plain, Size: 4087 bytes --]

Hi Donnie,

Yes, Please go ahead and create Cheatsheet for LDAP configuration.

Regards,

Richard

On 9/12/2020 12:44 AM, Gerhart, Donnie wrote:
>
> Hey Richard/Folks,
>
> Thanks for reaching out.  We really appreciate it.
>
> Per usual, shortly after we hit send, we found a GID anomaly that once 
> corrected everything OpenBMC LDAP connected up and logged in nicely.
>
> To keep others from spinning in such an anomaly we’d be more than 
> happy to post (ourselves or through you) a simple Ldap diff (LDIF) 
> file containing a small working joe and jane LDAP server config.  The 
> two places we thought such an example might valuable are phosphor user 
> manager arch documentation and/or the LDAP test in 
> openbmc-test-automation but we are happy to defer to your guidance 
> regarding same. Let us know your thoughts and we can post or provide 
> the applicable file straight away.
>
> Thanks again!
>
> Best,
>
> Donnie
>
> *From:* Thomaiyar, Richard Marian 
> <richard.marian.thomaiyar@linux.intel.com>
> *Sent:* Thursday, September 10, 2020 8:53 AM
> *To:* Gerhart, Donnie; openbmc@lists.ozlabs.org; 
> ratagupt@linux.vnet.ibm.com; gkeishin@in.ibm.com
> *Cc:* Mugunda, Chandra; Giles, Joshua; Cockrell, Trevor
> *Subject:* Re: OpenBMC LDAP server configuration assistance
>
> [EXTERNAL EMAIL]
>
> Hi Donnie,
>
> Didn't tested it in latest tree, but you already cross verified this 
> right --> 
> https://github.com/openbmc/openbmc-test-automation/blob/master/redfish/account_service/test_ldap_configuration.robot
>
> ++ Ratan & George.
>
> Regards,
>
> Richard
>
> On 9/9/2020 10:02 PM, Gerhart, Donnie wrote:
>
>     Hello OpenBMC Community\SMEs,
>
>     We are investigating LDAP functionality on the 2.8 ‘top of tree’
>     build; however, we are having some issues I believe you can help
>     with straight away.  Some of the many real failures we’ve
>     encountered are:
>
>       * Bricked system due to locking out all users
>
> <Richard> You meant to say even `root` user is locked out is OpenBMC 
> repo master or made more changes. By default user lock out is 
> disabled, and still won't lock root user to avoid DOS attack.
>
>       * Ladap_result() failed:  Can’t contact LDAP server
>
>           o Believe we’ve fixed this one
>
> <Richard> Hope this as LDAP configuration issue you faced, and not 
> related to OpenBMC code as such.
>
>       * Logins are restricted to the group priv-admin of but user
>         ‘testuser’ is not a member
>
> <Richard>: Is this failure due to SSH login. Because SSH won't make 
> use of ldap privilege mapping. You may need to change 
> https://github.com/openbmc/meta-phosphor/blob/master/recipes-core/dropbear/dropbear/dropbear.default 
> if needs LDAP testing in SSH.
>
> Have you tried bmcweb LDAP login ? Whether you are able to succeed in 
> that ?
>
>       * Pam_authenticate() failed, rc=7, Authentication failure
>       * Bad PAM password attempt for ‘testuser’ from: <LDAP server IP>
>
>     Some of these issues we’ve worked through; however, some are still
>     dogging us.  To that end, can someone possibly list\post a basic
>     LDAP server LDIF file with a single user, privilege role and group
>     mapping that you’ve successfully used with OpenBMC?  We assume we
>     are stuck on some trivial LDAP server topology anomaly that is
>     completely escaping us at the moment.
>
>     As an fyi we have looked at:
>
>      1. Gone through everything obviously ‘ldap’ in the mailing lists:
>         https://lists.ozlabs.org/pipermail/openbmc/
>      2. Looked at OpenBMC learning series:
>         https://github.com/openbmc/openbmc/wiki/Presentations
>      3. Gone through the documents here:
>         https://github.com/openbmc/docs/blob/master/architecture/user-management.md
>      4. Looked at ldap tests and server:
>         https://github.com/openbmc/openbmc-test-automation
>      5. Spent more time tweaking Linux files and creating ldap server
>         configs that I care to admit 😊
>
>     BIG thanks in advance!
>
>     Best,
>
>     Donnie
>

[-- Attachment #2: Type: text/html, Size: 22960 bytes --]

Re: OpenBMC LDAP server configuration assistance

[Ratan Gupta]

[-- Attachment #1: Type: text/plain, Size: 4790 bytes --]

Hi Donnie,

We didn't create the cheatsheet for ldap server configuration, we 
thought the enough documentation is there on the net to configure the 
ldap server.

But it is good to have this documentation, Are you doing it for openLDAP 
or the Active Directory also?

I thought George & team was having this when I was working with him.

Ratan

On 9/21/20 10:01 AM, Thomaiyar, Richard Marian wrote:
> Hi Donnie, Yes, Please go ahead and create Cheatsheet for LDAP 
> configuration....
> This Message Is From an External Sender
> This message came from outside your organization.
>
> Hi Donnie,
>
> Yes, Please go ahead and create Cheatsheet for LDAP configuration.
>
> Regards,
>
> Richard
>
> On 9/12/2020 12:44 AM, Gerhart, Donnie wrote:
>>
>> Hey Richard/Folks,
>>
>> Thanks for reaching out.  We really appreciate it.
>>
>> Per usual, shortly after we hit send, we found a GID anomaly that 
>> once corrected everything OpenBMC LDAP connected up and logged in nicely.
>>
>> To keep others from spinning in such an anomaly we’d be more than 
>> happy to post (ourselves or through you) a simple Ldap diff (LDIF) 
>> file containing a small working joe and jane LDAP server config.  The 
>> two places we thought such an example might valuable are phosphor 
>> user manager arch documentation and/or the LDAP test in 
>> openbmc-test-automation but we are happy to defer to your guidance 
>> regarding same.  Let us know your thoughts and we can post or provide 
>> the applicable file straight away.
>>
>> Thanks again!
>>
>> Best,
>>
>> Donnie
>>
>> *From:* Thomaiyar, Richard Marian 
>> <richard.marian.thomaiyar@linux.intel.com>
>> *Sent:* Thursday, September 10, 2020 8:53 AM
>> *To:* Gerhart, Donnie; openbmc@lists.ozlabs.org; 
>> ratagupt@linux.vnet.ibm.com; gkeishin@in.ibm.com
>> *Cc:* Mugunda, Chandra; Giles, Joshua; Cockrell, Trevor
>> *Subject:* Re: OpenBMC LDAP server configuration assistance
>>
>> [EXTERNAL EMAIL]
>>
>> Hi Donnie,
>>
>> Didn't tested it in latest tree, but you already cross verified this 
>> right --> 
>> https://github.com/openbmc/openbmc-test-automation/blob/master/redfish/account_service/test_ldap_configuration.robot
>>
>> ++ Ratan & George.
>>
>> Regards,
>>
>> Richard
>>
>> On 9/9/2020 10:02 PM, Gerhart, Donnie wrote:
>>
>>     Hello OpenBMC Community\SMEs,
>>
>>     We are investigating LDAP functionality on the 2.8 ‘top of tree’
>>     build; however, we are having some issues I believe you can help
>>     with straight away. Some of the many real failures we’ve
>>     encountered are:
>>
>>       * Bricked system due to locking out all users
>>
>> <Richard> You meant to say even `root` user is locked out is OpenBMC 
>> repo master or made more changes. By default user lock out is 
>> disabled, and still won't lock root user to avoid DOS attack.
>>
>>       * Ladap_result() failed:  Can’t contact LDAP server
>>
>>           o Believe we’ve fixed this one
>>
>> <Richard> Hope this as LDAP configuration issue you faced, and not 
>> related to OpenBMC code as such.
>>
>>       * Logins are restricted to the group priv-admin of but user
>>         ‘testuser’ is not a member
>>
>> <Richard>: Is this failure due to SSH login. Because SSH won't make 
>> use of ldap privilege mapping. You may need to change 
>> https://github.com/openbmc/meta-phosphor/blob/master/recipes-core/dropbear/dropbear/dropbear.default 
>> if needs LDAP testing in SSH.
>>
>> Have you tried bmcweb LDAP login ? Whether you are able to succeed in 
>> that ?
>>
>>       * Pam_authenticate() failed, rc=7, Authentication failure
>>       * Bad PAM password attempt for ‘testuser’ from: <LDAP server IP>
>>
>>     Some of these issues we’ve worked through; however, some are
>>     still dogging us.  To that end, can someone possibly list\post a
>>     basic LDAP server LDIF file with a single user, privilege role
>>     and group mapping that you’ve successfully used with OpenBMC?  We
>>     assume we are stuck on some trivial LDAP server topology anomaly
>>     that is completely escaping us at the moment.
>>
>>     As an fyi we have looked at:
>>
>>      1. Gone through everything obviously ‘ldap’ in the mailing
>>         lists: https://lists.ozlabs.org/pipermail/openbmc/
>>      2. Looked at OpenBMC learning series:
>>         https://github.com/openbmc/openbmc/wiki/Presentations
>>      3. Gone through the documents here:
>>         https://github.com/openbmc/docs/blob/master/architecture/user-management.md
>>      4. Looked at ldap tests and server:
>>         https://github.com/openbmc/openbmc-test-automation
>>      5. Spent more time tweaking Linux files and creating ldap server
>>         configs that I care to admit 😊
>>
>>     BIG thanks in advance!
>>
>>     Best,
>>
>>     Donnie
>>

[-- Attachment #2: Type: text/html, Size: 29851 bytes --]

Re: OpenBMC LDAP server configuration assistance

[Ratan Gupta]

[-- Attachment #1: Type: text/plain, Size: 4790 bytes --]

Hi Donnie,

We didn't create the cheatsheet for ldap server configuration, we 
thought the enough documentation is there on the net to configure the 
ldap server.

But it is good to have this documentation, Are you doing it for openLDAP 
or the Active Directory also?

I thought George & team was having this when I was working with him.

Ratan

On 9/21/20 10:01 AM, Thomaiyar, Richard Marian wrote:
> Hi Donnie, Yes, Please go ahead and create Cheatsheet for LDAP 
> configuration....
> This Message Is From an External Sender
> This message came from outside your organization.
>
> Hi Donnie,
>
> Yes, Please go ahead and create Cheatsheet for LDAP configuration.
>
> Regards,
>
> Richard
>
> On 9/12/2020 12:44 AM, Gerhart, Donnie wrote:
>>
>> Hey Richard/Folks,
>>
>> Thanks for reaching out.  We really appreciate it.
>>
>> Per usual, shortly after we hit send, we found a GID anomaly that 
>> once corrected everything OpenBMC LDAP connected up and logged in nicely.
>>
>> To keep others from spinning in such an anomaly we’d be more than 
>> happy to post (ourselves or through you) a simple Ldap diff (LDIF) 
>> file containing a small working joe and jane LDAP server config.  The 
>> two places we thought such an example might valuable are phosphor 
>> user manager arch documentation and/or the LDAP test in 
>> openbmc-test-automation but we are happy to defer to your guidance 
>> regarding same.  Let us know your thoughts and we can post or provide 
>> the applicable file straight away.
>>
>> Thanks again!
>>
>> Best,
>>
>> Donnie
>>
>> *From:* Thomaiyar, Richard Marian 
>> <richard.marian.thomaiyar@linux.intel.com>
>> *Sent:* Thursday, September 10, 2020 8:53 AM
>> *To:* Gerhart, Donnie; openbmc@lists.ozlabs.org; 
>> ratagupt@linux.vnet.ibm.com; gkeishin@in.ibm.com
>> *Cc:* Mugunda, Chandra; Giles, Joshua; Cockrell, Trevor
>> *Subject:* Re: OpenBMC LDAP server configuration assistance
>>
>> [EXTERNAL EMAIL]
>>
>> Hi Donnie,
>>
>> Didn't tested it in latest tree, but you already cross verified this 
>> right --> 
>> https://github.com/openbmc/openbmc-test-automation/blob/master/redfish/account_service/test_ldap_configuration.robot
>>
>> ++ Ratan & George.
>>
>> Regards,
>>
>> Richard
>>
>> On 9/9/2020 10:02 PM, Gerhart, Donnie wrote:
>>
>>     Hello OpenBMC Community\SMEs,
>>
>>     We are investigating LDAP functionality on the 2.8 ‘top of tree’
>>     build; however, we are having some issues I believe you can help
>>     with straight away. Some of the many real failures we’ve
>>     encountered are:
>>
>>       * Bricked system due to locking out all users
>>
>> <Richard> You meant to say even `root` user is locked out is OpenBMC 
>> repo master or made more changes. By default user lock out is 
>> disabled, and still won't lock root user to avoid DOS attack.
>>
>>       * Ladap_result() failed:  Can’t contact LDAP server
>>
>>           o Believe we’ve fixed this one
>>
>> <Richard> Hope this as LDAP configuration issue you faced, and not 
>> related to OpenBMC code as such.
>>
>>       * Logins are restricted to the group priv-admin of but user
>>         ‘testuser’ is not a member
>>
>> <Richard>: Is this failure due to SSH login. Because SSH won't make 
>> use of ldap privilege mapping. You may need to change 
>> https://github.com/openbmc/meta-phosphor/blob/master/recipes-core/dropbear/dropbear/dropbear.default 
>> if needs LDAP testing in SSH.
>>
>> Have you tried bmcweb LDAP login ? Whether you are able to succeed in 
>> that ?
>>
>>       * Pam_authenticate() failed, rc=7, Authentication failure
>>       * Bad PAM password attempt for ‘testuser’ from: <LDAP server IP>
>>
>>     Some of these issues we’ve worked through; however, some are
>>     still dogging us.  To that end, can someone possibly list\post a
>>     basic LDAP server LDIF file with a single user, privilege role
>>     and group mapping that you’ve successfully used with OpenBMC?  We
>>     assume we are stuck on some trivial LDAP server topology anomaly
>>     that is completely escaping us at the moment.
>>
>>     As an fyi we have looked at:
>>
>>      1. Gone through everything obviously ‘ldap’ in the mailing
>>         lists: https://lists.ozlabs.org/pipermail/openbmc/
>>      2. Looked at OpenBMC learning series:
>>         https://github.com/openbmc/openbmc/wiki/Presentations
>>      3. Gone through the documents here:
>>         https://github.com/openbmc/docs/blob/master/architecture/user-management.md
>>      4. Looked at ldap tests and server:
>>         https://github.com/openbmc/openbmc-test-automation
>>      5. Spent more time tweaking Linux files and creating ldap server
>>         configs that I care to admit 😊
>>
>>     BIG thanks in advance!
>>
>>     Best,
>>
>>     Donnie
>>

[-- Attachment #2: Type: text/html, Size: 29851 bytes --]

RE: OpenBMC LDAP server configuration assistance

[Cockrell, Trevor]

[-- Attachment #1: Type: text/plain, Size: 7547 bytes --]

Internal Use - Confidential

Hey Ratan, Richard,

The issue that we ran into when using openLDAP was a small but key bit of configuration that I personally did not see on the web – the gidNumber property of a posix user/group.

The below documentation/notes (currently just for openLDAP) I have from my investigation would have helped us get to the root of our problem much quicker.
It might be beneficial to others to add this or something similar enough that clarifies the gidNumber requirements into the Phosphor User Manager README. If not, would there be a better place?
I could adjust/edit or I can leave it to you. 😊

Thanks!
Trevor Cockrell


User ‘John’ was created with the ldif below for an ldap server ‘example.com’:
dn: uid=John,dc=example,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: John
uid: John
uidNumber: 1024
gidNumber: 100
homeDirectory: /home/John
loginShell: /bin/bash
gecos: John
userPassword: {crypt}x
shadowLastChange: -1
shadowMax: -1
shadowWarning: -1

In order for John to access any WebUI or redfish implementation, he must then be organized into a posix group with gidNumber 1004. This is because OpenBMC performs a group check for redfish on any user attempting redfish or WebUI interaction methods. The posix group was created with the following ldif:
dn: cn=redfish,dc=example,dc=com
cn: redfish
objectClass: posixGroup
objectClass: top
gidNumber: 1004
memberUid: John

The name of the posix group does not matter – only the gidNumber which is set to 1004, locally ‘redfish’ on the OpenBMC. Field memberUid maps John into the redfish group, allowing him access to both the WebUI and redfish methods of interacting with OpenBMC.
If desired, John can also be placed in posix-group ‘priv-admin’ with gidNumber 1000, granting him SSH access to the system. Privilege mapping does not affect the ability of a user in group 1000 to access the OpenBMC via SSH.
With a user placed in a group, a privilege mapping must then be assigned. The above gidNumber 100 relates to group ‘users’ on the local OpenBMC machine. When the mapping is assigned, any users within the mapped gidNumber will have the privilege level that has been mapped to their group. For example, if Jane were to be assigned gidNumber 100 she would have the same privileges as John. The privilege mapping must have the same name as the group referenced by the gidNumber. In this case, the role mapping must be explicitly for ‘users’. If there is no mapping assigned, connection via redfish is refused while the WebUI allows login with no interaction.


From: Ratan Gupta <ratagupt@linux.vnet.ibm.com>
Sent: Monday, September 21, 2020 9:29 AM
To: Thomaiyar, Richard Marian; Gerhart, Donnie; openbmc@lists.ozlabs.org; gkeishin@in.ibm.com
Cc: Mugunda, Chandra; Giles, Joshua; Cockrell, Trevor
Subject: Re: OpenBMC LDAP server configuration assistance


[EXTERNAL EMAIL]

Hi Donnie,

We didn't create the cheatsheet for ldap server configuration, we thought the enough documentation is there on the net to configure the ldap server.

But it is good to have this documentation, Are you doing it for openLDAP or the Active Directory also?

I thought George & team was having this when I was working with him.

Ratan
On 9/21/20 10:01 AM, Thomaiyar, Richard Marian wrote:
Hi Donnie, Yes, Please go ahead and create Cheatsheet for LDAP configuration....
This Message Is From an External Sender
This message came from outside your organization.

Hi Donnie,

Yes, Please go ahead and create Cheatsheet for LDAP configuration.

Regards,

Richard
On 9/12/2020 12:44 AM, Gerhart, Donnie wrote:
Hey Richard/Folks,

Thanks for reaching out.  We really appreciate it.

Per usual, shortly after we hit send, we found a GID anomaly that once corrected everything OpenBMC LDAP connected up and logged in nicely.

To keep others from spinning in such an anomaly we’d be more than happy to post (ourselves or through you) a simple Ldap diff (LDIF) file containing a small working joe and jane LDAP server config.  The two places we thought such an example might valuable are phosphor user manager arch documentation and/or the LDAP test in openbmc-test-automation but we are happy to defer to your guidance regarding same.  Let us know your thoughts and we can post or provide the applicable file straight away.

Thanks again!

Best,
Donnie


From: Thomaiyar, Richard Marian <richard.marian.thomaiyar@linux.intel.com><mailto:richard.marian.thomaiyar@linux.intel.com>
Sent: Thursday, September 10, 2020 8:53 AM
To: Gerhart, Donnie; openbmc@lists.ozlabs.org<mailto:openbmc@lists.ozlabs.org>; ratagupt@linux.vnet.ibm.com<mailto:ratagupt@linux.vnet.ibm.com>; gkeishin@in.ibm.com<mailto:gkeishin@in.ibm.com>
Cc: Mugunda, Chandra; Giles, Joshua; Cockrell, Trevor
Subject: Re: OpenBMC LDAP server configuration assistance


[EXTERNAL EMAIL]
Hi Donnie,

Didn't tested it in latest tree, but you already cross verified this right --> https://github.com/openbmc/openbmc-test-automation/blob/master/redfish/account_service/test_ldap_configuration.robot

++ Ratan & George.

Regards,

Richard
On 9/9/2020 10:02 PM, Gerhart, Donnie wrote:
Hello OpenBMC Community\SMEs,

We are investigating LDAP functionality on the 2.8 ‘top of tree’ build; however, we are having some issues I believe you can help with straight away.  Some of the many real failures we’ve encountered are:

  *   Bricked system due to locking out all users
<Richard> You meant to say even `root` user is locked out is OpenBMC repo master or made more changes. By default user lock out is disabled, and still won't lock root user to avoid DOS attack.

  *   Ladap_result() failed:  Can’t contact LDAP server

     *   Believe we’ve fixed this one
<Richard> Hope this as LDAP configuration issue you faced, and not related to OpenBMC code as such.



  *   Logins are restricted to the group priv-admin of but user ‘testuser’ is not a member

<Richard>: Is this failure due to SSH login. Because SSH won't make use of ldap privilege mapping. You may need to change https://github.com/openbmc/meta-phosphor/blob/master/recipes-core/dropbear/dropbear/dropbear.default if needs LDAP testing in SSH.

Have you tried bmcweb LDAP login ? Whether you are able to succeed in that ?

  *   Pam_authenticate() failed, rc=7, Authentication failure
  *   Bad PAM password attempt for ‘testuser’ from: <LDAP server IP>

Some of these issues we’ve worked through; however, some are still dogging us.  To that end, can someone possibly list\post a basic LDAP server LDIF file with a single user, privilege role and group mapping that you’ve successfully used with OpenBMC?  We assume we are stuck on some trivial LDAP server topology anomaly that is completely escaping us at the moment.

As an fyi we have looked at:

  1.  Gone through everything obviously ‘ldap’ in the mailing lists:  https://lists.ozlabs.org/pipermail/openbmc/
  2.  Looked at OpenBMC learning series:  https://github.com/openbmc/openbmc/wiki/Presentations
  3.  Gone through the documents here:  https://github.com/openbmc/docs/blob/master/architecture/user-management.md
  4.  Looked at ldap tests and server:  https://github.com/openbmc/openbmc-test-automation
  5.  Spent more time tweaking Linux files and creating ldap server configs that I care to admit 😊

BIG thanks in advance!

Best,
Donnie


[-- Attachment #2: Type: text/html, Size: 33890 bytes --]

Re: OpenBMC LDAP server configuration assistance

[Ratan Gupta]

[-- Attachment #1: Type: text/plain, Size: 9049 bytes --]

Hi Trevor,

You can have doc under phosphor-user-manager for configuring the LDAP 
server.

Ratan Gupta

On 9/28/20 8:35 PM, Cockrell, Trevor wrote:
> Internal Use - Confidential Hey Ratan, Richard, The issue that we ran 
> into when...
> This Message Is From an External Sender
> This message came from outside your organization.
>
> Internal Use - Confidential
>
>
> Hey Ratan, Richard,
>
> The issue that we ran into when using openLDAP was a small but key bit 
> of configuration that I personally did not see on the web – the 
> gidNumber property of a posix user/group.
>
> The below documentation/notes (currently just for openLDAP) I have 
> from my investigation would have helped us get to the root of our 
> problem much quicker.
>
> It might be beneficial to others to add this or something similar 
> enough that clarifies the gidNumber requirements into the Phosphor 
> User Manager README. If not, would there be a better place?
>
> I could adjust/edit or I can leave it to you. 😊
>
> Thanks!
>
> Trevor Cockrell
>
> User ‘John’ was created with the ldif below for an ldap server 
> ‘example.com’:
>
> dn: uid=John,dc=example,dc=com
> objectClass: top
> objectClass: account
> objectClass: posixAccount
> objectClass: shadowAccount
> cn: John
> uid: John
> uidNumber: 1024
> *gidNumber*: 100
> homeDirectory: /home/John
> loginShell: /bin/bash
> gecos: John
> userPassword: {crypt}x
> shadowLastChange: -1
> shadowMax: -1
> shadowWarning: -1
>
> In order for John to access any WebUI or redfish implementation, he 
> must then be organized into a posix group with gidNumber 1004. This is 
> because OpenBMC performs a group check for redfish on any user 
> attempting redfish or WebUI interaction methods. The posix group was 
> created with the following ldif:
>
> dn: cn=redfish,dc=example,dc=com
> cn: redfish
> objectClass: posixGroup
> objectClass: top
> *gidNumber*: 1004
> *memberUid*: John
>
> The name of the posix group does not matter – only the gidNumber which 
> is set to 1004, locally ‘redfish’ on the OpenBMC. Field memberUidmaps 
> John into the redfish group, allowing him access to both the WebUI and 
> redfish methods of interacting with OpenBMC.
>
> If desired, John can also be placed in posix-group ‘priv-admin’ with 
> gidNumber 1000, granting him SSH access to the system. Privilege 
> mapping does not affect the ability of a user in group 1000 to access 
> the OpenBMC via SSH.
>
> With a user placed in a group, a privilege mapping must then be 
> assigned. The above gidNumber 100 relates to group ‘users’ on the 
> local OpenBMC machine. When the mapping is assigned, any users within 
> the mapped gidNumber will have the privilege level that has been 
> mapped to their group. For example, if Jane were to be assigned 
> gidNumber 100 she would have the same privileges as John. The 
> privilege mapping must have the same name as the group referenced by 
> the gidNumber. In this case, the role mapping must be explicitly for 
> ‘users’. If there is no mapping assigned, connection via redfish is 
> refused while the WebUI allows login with no interaction.
>
> *From:* Ratan Gupta <ratagupt@linux.vnet.ibm.com>
> *Sent:* Monday, September 21, 2020 9:29 AM
> *To:* Thomaiyar, Richard Marian; Gerhart, Donnie; 
> openbmc@lists.ozlabs.org; gkeishin@in.ibm.com
> *Cc:* Mugunda, Chandra; Giles, Joshua; Cockrell, Trevor
> *Subject:* Re: OpenBMC LDAP server configuration assistance
>
> [EXTERNAL EMAIL]
>
> Hi Donnie,
>
> We didn't create the cheatsheet for ldap server configuration, we 
> thought the enough documentation is there on the net to configure the 
> ldap server.
>
> But it is good to have this documentation, Are you doing it for 
> openLDAP or the Active Directory also?
>
> I thought George & team was having this when I was working with him.
>
> Ratan
>
> On 9/21/20 10:01 AM, Thomaiyar, Richard Marian wrote:
>
>     Hi Donnie, Yes, Please go ahead and create Cheatsheet for LDAP
>     configuration....
>
>     *This Message Is From an External Sender*
>
>     This message came from outside your organization.
>
>     Hi Donnie,
>
>     Yes, Please go ahead and create Cheatsheet for LDAP configuration.
>
>     Regards,
>
>     Richard
>
>     On 9/12/2020 12:44 AM, Gerhart, Donnie wrote:
>
>         Hey Richard/Folks,
>
>         Thanks for reaching out.  We really appreciate it.
>
>         Per usual, shortly after we hit send, we found a GID anomaly
>         that once corrected everything OpenBMC LDAP connected up and
>         logged in nicely.
>
>         To keep others from spinning in such an anomaly we’d be more
>         than happy to post (ourselves or through you) a simple Ldap
>         diff (LDIF) file containing a small working joe and jane LDAP
>         server config.  The two places we thought such an example
>         might valuable are phosphor user manager arch documentation
>         and/or the LDAP test in openbmc-test-automation but we are
>         happy to defer to your guidance regarding same.  Let us know
>         your thoughts and we can post or provide the applicable file
>         straight away.
>
>         Thanks again!
>
>         Best,
>
>         Donnie
>
>         *From:* Thomaiyar, Richard Marian
>         <richard.marian.thomaiyar@linux.intel.com>
>         <mailto:richard.marian.thomaiyar@linux.intel.com>
>         *Sent:* Thursday, September 10, 2020 8:53 AM
>         *To:* Gerhart, Donnie; openbmc@lists.ozlabs.org
>         <mailto:openbmc@lists.ozlabs.org>; ratagupt@linux.vnet.ibm.com
>         <mailto:ratagupt@linux.vnet.ibm.com>; gkeishin@in.ibm.com
>         <mailto:gkeishin@in.ibm.com>
>         *Cc:* Mugunda, Chandra; Giles, Joshua; Cockrell, Trevor
>         *Subject:* Re: OpenBMC LDAP server configuration assistance
>
>         [EXTERNAL EMAIL]
>
>         Hi Donnie,
>
>         Didn't tested it in latest tree, but you already cross
>         verified this right -->
>         https://github.com/openbmc/openbmc-test-automation/blob/master/redfish/account_service/test_ldap_configuration.robot
>
>         ++ Ratan & George.
>
>         Regards,
>
>         Richard
>
>         On 9/9/2020 10:02 PM, Gerhart, Donnie wrote:
>
>             Hello OpenBMC Community\SMEs,
>
>             We are investigating LDAP functionality on the 2.8 ‘top of
>             tree’ build; however, we are having some issues I believe
>             you can help with straight away.  Some of the many real
>             failures we’ve encountered are:
>
>               * Bricked system due to locking out all users
>
>         <Richard> You meant to say even `root` user is locked out is
>         OpenBMC repo master or made more changes. By default user lock
>         out is disabled, and still won't lock root user to avoid DOS
>         attack.
>
>               * Ladap_result() failed:  Can’t contact LDAP server
>
>                   o Believe we’ve fixed this one
>
>         <Richard> Hope this as LDAP configuration issue you faced, and
>         not related to OpenBMC code as such.
>
>
>               * Logins are restricted to the group priv-admin of but
>                 user ‘testuser’ is not a member
>
>         <Richard>: Is this failure due to SSH login. Because SSH won't
>         make use of ldap privilege mapping. You may need to change
>         https://github.com/openbmc/meta-phosphor/blob/master/recipes-core/dropbear/dropbear/dropbear.default
>         if needs LDAP testing in SSH.
>
>         Have you tried bmcweb LDAP login ? Whether you are able to
>         succeed in that ?
>
>               * Pam_authenticate() failed, rc=7, Authentication failure
>               * Bad PAM password attempt for ‘testuser’ from: <LDAP
>                 server IP>
>
>             Some of these issues we’ve worked through; however, some
>             are still dogging us.  To that end, can someone possibly
>             list\post a basic LDAP server LDIF file with a single
>             user, privilege role and group mapping that you’ve
>             successfully used with OpenBMC?  We assume we are stuck on
>             some trivial LDAP server topology anomaly that is
>             completely escaping us at the moment.
>
>             As an fyi we have looked at:
>
>              1. Gone through everything obviously ‘ldap’ in the
>                 mailing lists: https://lists.ozlabs.org/pipermail/openbmc/
>              2. Looked at OpenBMC learning series:
>                 https://github.com/openbmc/openbmc/wiki/Presentations
>              3. Gone through the documents here:
>                 https://github.com/openbmc/docs/blob/master/architecture/user-management.md
>              4. Looked at ldap tests and server:
>                 https://github.com/openbmc/openbmc-test-automation
>              5. Spent more time tweaking Linux files and creating ldap
>                 server configs that I care to admit 😊
>
>             BIG thanks in advance!
>
>             Best,
>
>             Donnie
>

[-- Attachment #2: Type: text/html, Size: 45260 bytes --]