| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Specifies the credentials with which to bind,Implementation should
consider changing the permissions of the underlying file to
only grant access to the root user.
This property value should not be reflected on the D-bus object itself.
Implementation can use the given value and update the service
implementing the LDAP client.This is just to facilitate the support
for changing the bin dn password if needed.
Currently this property is over D-bus, There are security concerns
for the same, but once we find better way to update the ldap password
we would fix it.
Change-Id: I69a4334134c0567d67be4b0071a80b7c9977316e
Signed-off-by: Ratan Gupta <ratagupt@linux.vnet.ibm.com>
|
| |
|
|
|
|
|
|
| |
Password interface is not used anymore for security reasons.
All password update has to happen over pam_chauthtok().
Change-Id: Ibbe18509d159a07639f97a3ec4e5e634fd12bc5f
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
This commit enables the changes for the commit
e5c0eef46a4fc09256332bf3afe699d60aaebbb3.
The backend changes are done through the following commit
https://gerrit.openbmc-project.xyz/#/c/openbmc/phosphor-user-manager/+/18552/
Change-Id: I3a8069b8bfb7947371084892875a282413b4c749
Signed-off-by: Ratan Gupta <ratagupt@linux.vnet.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As local and remote users are managed by separate daemon,it is difficult
for application to query and get the user authorization.
In order to simplify it in application level, a one stop D-Bus API
method was proposed which will be used by all applications
(irrespective of local / remote user) except IPMI.
This simplifies the application side. Same is documented in
https://github.com/openbmc/docs/blob/master/user_management.md#authorization-flow-except-ipmi
this method returns a dictionary of user properties.
UserPrivilege -> privilege of the user
UserGroups -> list of groups this user belongs to
UserEnabled -> user enabled state
UserLockedForFailedAttempt -> user locked state
RemoteUser -> remote or local user
this commit has GetUserInfo dbus api implementation
https://gerrit.openbmc-project.xyz/#/c/openbmc/phosphor-user-manager/+/18132/
Change-Id: Idbf933447dcf98623cf1f29606d24ea69ec44971
Signed-off-by: raviteja-b <raviteja28031990@gmail.com>
|
| |
|
|
|
|
|
|
| |
This reverts commit e5c0eef46a4fc09256332bf3afe699d60aaebbb3.
The backend is not ready for this.
Change-Id: I1ed768f904e9297407996a8e92d8105b636dd172
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
User can provide these properties to configure the LDAP.
UsernameAttribute:
In certain ldap server userid is "cn" and in other ldap
server it becomes "uid"
GroupNameAttribute:
In certain ldap server groupid is gid and in other ldap
server is PrimaryGroupID etc.
Both properties exist in the LDAP server and admin of LDAP
server can opt for any property to specify the userID
and same is true for other properties(GroupName).
It is aligned with redfish also.
https://redfish.dmtf.org/schemas/AccountService.v1_3_1.json
Change-Id: I3689d03bd80f62cc26fe840a9176875499c87554
Signed-off-by: Ratan Gupta <ratagupt@linux.vnet.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The interfaces sets the default value for a enum property to 0, which
causes the generated server.hpp file contains code like:
SearchScope _lDAPSearchScope = SearchScope::0;
Fix it by specify the enum value instead of 0.
Tested: Verify the generated code becomes below and pass the build.
SearchScope _lDAPSearchScope = SearchScope::sub;
Change-Id: I509b6968d32dec38d1592103df9821b2fc99b5d6
Signed-off-by: Lei YU <mine260309@gmail.com>
|
| |
|
|
|
|
|
|
| |
Setting properties in this interface could fail to due to internal
failures.
Change-Id: I8bc84dcf105ece0f5322315d02dea7fa919444fc
Signed-off-by: Ratan Gupta <ratagupt@linux.vnet.ibm.com>
|
| |
|
|
|
|
|
|
| |
Setting properties in this interface could fail to due to internal
failures.
Change-Id: Ibec355b3d6adf5d46651e9d90aa542b9cde47a88
Signed-off-by: Ratan Gupta <ratagupt@linux.vnet.ibm.com>
|
| |
|
|
|
|
|
|
|
|
| |
Secure property is not required as URI itself tells that whether the
configured LDAP is secure or not.
For secure server, URI would be ldaps://<hostname/ip> and for nonsecure
ldap server URI would be ldap://<hostname/ip>
Change-Id: Ieb1b1466f0da8f6bb5695595fab8ec1e5b0e9075
Signed-off-by: Ratan Gupta <ratagupt@linux.vnet.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Remove LDAP Bind password from the Ldap.Config interface. It is
unnecessary and undesirable to store this password in a D-Bus object.
The Ldap.Create interface still accepts the Bind password, as before. If
an admin has to change the Ldap bind password, they'd need to recreate
the LDAP config.
Change-Id: Ie5a8002bed3fd8c57500af588d9b010190f5ff9b
Signed-off-by: Deepak Kodihalli <dkodihal@in.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The Config interface and Create interface can throw a
"NoCACertificate" error.
For example: If LDAP server's CA certificate not provided and
someone tries to enable secure LDAP, this error should be thrown.
Change-Id: Ie773245fb7c6b36f25cd1acca2bfc3b0391dfeac
Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.com>
Signed-off-by: Deepak Kodihalli <dkodihal@in.ibm.com>
|
| |
|
|
|
|
|
|
| |
The config interface can throw an InternalFailure or
InvalidArgument errors.
Change-Id: Ida1a690e3b3137e621b27b788cfde28b7f31da5f
Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The object path for the privilege mapper cannot have LDAP group name
in the path name. The D-Bus object path should only contain the ASCII
characters [A-Z][a-z][0-9]_. According to RFC 2253, the LDAP group name
can have additional special characters. A unique identifier is added to
the D-Bus object path and the group name is a property of the privilege
mapper.
Change-Id: If1c511bee7a492887eb45e7ce00fdfc55e98c073
Signed-off-by: Tom Joseph <tomjoseph@in.ibm.com>
|
| |
|
|
|
|
|
|
|
|
| |
This interface will be implemented to assign privilege roles to
groups. The privilege roles will be assigned to groups
and the user accounts which are part of the group will inherit
the privilege role.
Change-Id: I2326de5f7f3e6e92c2a0d7648a5677b33a0b1db0
Signed-off-by: Tom Joseph <tomjoseph@in.ibm.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
It defines interfaces to create and to update LDAP config file.
It defines two interfaces - one is to create a config file and
the another one is to allow updates to happen to individual
properties.
Change-Id: I2f8182ad6d6d6945650d6ff0865c40106973fdec
Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.com>
|
| |
|
|
|
|
|
|
|
|
| |
Configuration support for password and security
enforcement for user account under AccountPolicy
interface (which will manage global policies
related to accounts).
Change-Id: Icdea6d83654f9449088a6319f453788cb25ecfc2
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Basic User Manager D-Bus interfaces along
with signal to indicate other services.
Note: Removal of password.interfaces.yaml will be
done in separate commit
Change-Id: Ia547a0deae53eb25adf2cbc04c9d7a3593265a19
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
|
|
|
Change-Id: I9b23ebcae15e1feee0eb32c42b184c8a429e0977
Signed-off-by: Vishwanatha Subbanna <vishwa@linux.vnet.ibm.com>
|
