| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
Installs into bin instead of sbin per guidelines.
Signed-off-by: Patrick Venture <venture@google.com>
Change-Id: Ie3fd4aa21c2644b2673f80a17dee13819b6b546e
|
|
|
|
|
|
|
|
|
|
|
|
| |
Password update is done through pam_chauthtok() API,
and don't use SetPassword. Removing the unused code.
Tested-by:
N/A.
Change-Id: I42a5b7c73bc2cb2404801df1c1cd057a94a1a924
Signed-off-by: Sumanth Bhat <sumanth.bhat@intel.com>
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This property will control that whether the LDAP service would
be started or not.
We are persisting this property using cereal, other properties
is being persisted through nslcd.conf, nslcd doesn't give us
a way to put this property under nslcd.conf.
Tested By:
Test the persistency of enabled property.
Verified that it was getting persisted across restart/reboot.
Change-Id: Id64b23b71865bac15d3be2d79abad615aa576bea
Signed-off-by: Ratan Gupta <ratagupt@linux.vnet.ibm.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
LDAP: Adding support for extra properties
Implement GetUserInfo function in phosphor-user-manager
Squashing the commits due to phosphor-dbus-interfaces
dependency as the interface gets merged and it requires implementation
so it is a deadlock for both the commits.
Implement GetUserInfo function in phosphor-user-manager
There was need to have api which return privilege for ldap user.
it was discussed in this commit
https://gerrit.openbmc-project.xyz/#/c/openbmc/phosphor-dbus-interfaces/+/12027/
and decided to have generic api.
-Checks if user is local user, then returns map of properties of
local user like user privilege,list of user groups,user enabled
state and user locked state.
-If its not local user, then it checks if its a ldap user,
then get the privilege mapping for the LDAP group and returns.
TestedBy: 1) getUserInfo with local user
verify user details.
2) getUserInfo with ldap user having privilege mapper
entry, verify user details.
3) getUserInfo with no existing user.
check for exception UserNameDoesNotExist.
Change-Id: I44af41953db60ff96b39498d72839c2ab64bc8bd
Signed-off-by: raviteja-b <raviteja28031990@gmail.com>
LDAP: Adding support for extra properties
This commit also decouple the ldap service(nslcd) start
with each property update,Now there is a D-bus property
ldap service enabled which controls that whether the LDAP
service will be restarted after each property update,so now user
have an option to disable the ldap service and do multi-
property update and then enable the service again.
TestedBy: 1) Create the config with new added properties
Verify that it was getting reflected on the D-bus object.
2) After making the change restarted the ldap-conf service
Verify that new properties(usernameattr,groupnameattr) are correctly updated.
3) Authenticaton test
Verify that LDAP authentication worked fine.
4) Set the enabled property to true
Verify that it starts the nslcd service
5) Set the enabled property to false
Verify that it stops the nslcd.service
6) Set the enabled property to true and change any other config property
Verify that it starts the nslcd.service
7) Set the enabled property to false which stops the nslcd service
and change any other config property.
Verify that it doesn't start the nslcd service.
Change-Id: Ie3ca04a2adbbb1fe113764199348c4f7ac67f648
Signed-off-by: Ratan Gupta <ratagupt@linux.vnet.ibm.com>
|
|
|
|
|
| |
Change-Id: I682dda32c0482e0849289a70d5b3ffa624bb915d
Signed-off-by: Ratan Gupta <ratagupt@linux.vnet.ibm.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
I haven't written any code in this project, and I haven't been able
allocate much time to peer review either so it doesn't make any sense
for me to be a maintainer.
Richard and Ratan both have written code in PUM, been active in peer
review, and know a lot about the overall user management implementation
in OpenBMC. Richard and Ratan will both provide timely and quality
feedback to PUM contributors, so it makes a lot of sense for them to
co-maintain PUM in place of Brad.
Change-Id: I72b9c471f2c42b4b962de4ecc040d6c8489ee21f
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|
|
|
|
|
|
|
|
| |
Use the defaults in the pkg check where the default error message is
sufficient to identify which package is missing.
Change-Id: I09cf1888ea4f41b5c22d18d72b169d2ca32fc339
Signed-off-by: Patrick Venture <venture@google.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
pam_tally2 output restricts printing user name to 15 characters
This makes the extra precautionary user name comparison to fail
causing system to fail inadvertently. Hence removed the
precautionary condition, as user name is passed to pam_tally2
as argument
Unit test:
Added user name of 16 characters or more and tried querying
the user locked for failed attempt, and got successful data
Change-Id: I889c423324e53e4c554e9dce772a39f1843803b2
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
|
|
|
|
|
| |
Change-Id: I2d75a4f2e27f6e6640e8a16cc7834116b260f547
Signed-off-by: Tom Joseph <tomjoseph@in.ibm.com>
|
|
|
|
|
| |
Change-Id: I58cac8879f93ce49bfb654a1bf559d7f77b5b486
Signed-off-by: Tom Joseph <tomjoseph@in.ibm.com>
|
|
|
|
|
|
|
|
|
| |
This document presently have the various REST commands related to
configuration of LDAP on the BMC.
Change-Id: I0c1be4692b546bb591378f73bc992d6c742c3bc1
Signed-off-by: Ratan Gupta <ratagupt@in.ibm.com>
Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.com>
|
|
|
|
|
|
|
|
| |
In the createconfig path nslcd restart service is getting called twice
in a row, which not needed.
Change-Id: Ib60d43110815758360aa6f0de0478ad784cf5a5a
Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.com>
|
|
|
|
|
|
|
|
|
| |
There's just one nsswitch config file now (instead of a default, an
_linux and an _ldap). Make fixes in code relevant to this.
Change-Id: I92362aac7a1f5e034cea06e9299f7e574dc2fab9
Signed-off-by: Deepak Kodihalli <dkodihal@in.ibm.com>
Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
tls_cacertfile specifies the path to the X.509 certificate for
peer authentication.
Also updated the file with "tls_reqcert hard", to force the
behavior: if no certificate is provided, or a bad certificate
is provided, the session is immediately terminated.
Tested: tested using below given commands
1.curl -c cjar -b cjar -k -H "Content-Type: application/json" -X POST -d \
'{"data":[true,"ldaps://<host_ip>/","cn=<user-id>,dc=Corp,dc=ibm,dc=com",\
"cn=Users,dc=Corp,dc=ibm,dc=com", "<password>",\
"xyz.openbmc_project.User.Ldap.Create.SearchScope.sub",\
"xyz.openbmc_project.User.Ldap.Create.Type.ActiveDirectory"] \
}' https://$BMC_IP//xyz/openbmc_project/user/ldap/action/CreateConfig
2.curl -b cjar -k -H "Content-Type: application/json" -X PUT -d '{"data":true}'\
https://$BMC_IP/xyz/openbmc_project/user/ldap/config/attr/SecureLDAP
3.curl -b cjar -k -H "Content-Type: application/json" -X PUT -d \
'{"data":"ldap://<host_ip>/"}' \
https://$BMC_IP/xyz/openbmc_project/ldap/config/attr/LDAPServerURI
when "/etc/ssl/certs/Root-CA.pem" doesn't exist on target, we get below
given exception(if we try to set SecureLDAP is true):
"DBusException: xyz.openbmc_project.Common.Error.NoCACertificate: \
Server's CA certificate has not been provided."
Change-Id: I56ffe8b08bb71307b4f2bfe9cf935b6113e4579a
Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.com>
Signed-off-by: Deepak Kodihalli <dkodihal@in.ibm.com>
Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.com>
|
|
|
|
|
|
|
|
|
| |
Added uinit tests to create and to restore config file.
Change-Id: Idf5231d46542cda1ff84241aa67aadd91a4788d6
Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.com>
Signed-off-by: Deepak Kodihalli <dkodihal@in.ibm.com>
Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
By default nscd comes with nsswitch.conf, we had one more file for the
ldap specific version, and we copy the content from the ldap nsswitch
to the nsswitch.conf once LDAP config object gets created/deleted.
We had some inconsistency during restarting of services so thought of
clean logic where we would be having two files nsswitch_linux/nsswitch_ldap
and when ldap config object gets created we copy the nsswitch_ldap to
nsswitch.conf and when it gets deleted then copy the nsswitch_linux
to nsswitch.conf
Change-Id: I5a0af3ec82dd08fc54c7423fda1a80509769872d
Signed-off-by: Ratan Gupta <ratagupt@in.ibm.com>
Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
During restore path(i.e while phosphor-ldap-conf service restarts) after
parsing the file if any of the LDAP parameter(BindDN,BaseDN,URI) is
having empty value then don't create the LDAP config
object.
Before this commit the config object was not being created but
it throws a unnecessary log in the journal due to creation
of errorlog.
In restore path we don't want the errorlog.
This commit fixes the problem of creating unnecesary log in
the journal.
Change-Id: I074fe96a6c6382bc2d31e91df1275756b57c1045
Signed-off-by: Ratan Gupta <ratagupt@in.ibm.com>
Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.com>
|
|
|
|
|
|
|
|
| |
User residing on the openLDAP server havibg the uid and the
cn attribute so no need to map the uid with cn.
Change-Id: Ie1ef9798191831d0b532b310960115c5dd8a1b33
Signed-off-by: Ratan Gupta <ratagupt@in.ibm.com>
|
|
|
|
|
|
|
|
| |
update the config file with "filter group (objectclass=posixGroup)"
for OpenLdap.
Change-Id: I4a0a4693294745391d58d7ee9158c75468637f36
Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.com>
|
|
|
|
|
|
|
|
|
| |
Validates given URI.
Also updates secureLDAP property based on given URI. If URI is of LDAPS type,
secureLDAP is set to true, else it is set to false.
Change-Id: If96495c01a8bd911d255267ffbbbff7f28fa070b
Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a reaction to below given phosphor-dbus-interfaces changes
https://gerrit.openbmc-project.xyz/#/c/openbmc/phosphor-dbus-interfaces/+/14595/.
and
https://gerrit.openbmc-project.xyz/#/c/openbmc/phosphor-dbus-interfaces/+/14718/
Change-Id: Id427d718b6fcc9b90dfb3bccb3b4cc665a107c46
Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.com>
Signed-off-by: Deepak Kodihalli <dkodihal@in.ibm.com>
Signed-off-by: Ratan Gupta <ratagupt@linux.vnet.ibm.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If bindDN password is being written in the file then
change the permission of the file to 640 so that it is
not world readable.
If bindDN password is not written then permission would
be 644 which is default.
Change-Id: I567285ad75e18c2a38c37918d3d3a5e61b0b39ea
Signed-off-by: Ratan Gupta <ratagupt@in.ibm.com>
Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.com>
|
|
|
|
|
|
|
|
| |
Add "bindpw <password>" entry into nslcd.conf file only
if given password is not null.
Change-Id: Ifa4a90c6fd41d5b36c62328dcf3e9bfc38dd0ebb
Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[user_mgr.cpp:696]: (style) Throwing a copy of the caught exception
instead of rethrowing the original exception.
[user_mgr.cpp:923]: (style) Throwing a copy of the caught exception
instead of rethrowing the original exception.
[user_mgr.cpp:949]: (style) Throwing a copy of the caught exception
instead of rethrowing the original exception.
[user_mgr.cpp:974]: (style) Throwing a copy of the caught exception
instead of rethrowing the original exception.
[user_mgr.cpp:999]: (style) Throwing a copy of the caught exception
instead of rethrowing the original exception.
Change-Id: I57243acf997c248b38f52926c0a8dd525b32cc90
Signed-off-by: Patrick Venture <venture@google.com>
|
|
|
|
|
|
|
|
|
| |
Support for user locked state property using
pam_tally2 application added.
Change-Id: Ia77ff6527c15c93ac272110950e99fff56dcbaa6
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Support for password & security enforcement configuration added.
Implements the D-Bus interface properties to read and configure
minimum password length, old password remember history, unlock
timeout and maximum login attempt.
Change-Id: I1a462a8a5d1f5dd07f3b594d62bd9c61bbdddb9c
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|
|
|
|
|
|
|
|
| |
Validate LDAP Server's URI, BaseDN and BindBN.
Change-Id: If754e17c238069e04c9e1e8735a28d54dbf221cb
TODO: Unit tests will be added in subsequent commits.
Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.com>
|
|
|
|
|
|
|
|
| |
While creating LDAP configuration take a backup of existing config files
and restore them when LDAP configuration is disabled.
Change-Id: Id37138107311a56c5066bc66137a2d55e1e23099
Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.com>
|
|
|
|
|
|
|
|
| |
Implement the xyz.openbmc_project.Object.Delete interface
to delete LDAP config object.
Change-Id: Ia7413fd10c91ad5c79286fbe4a00740ced42aad6
Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.com>
|
|
|
|
|
|
|
|
| |
Upon startup, restore D-Bus properties from LDAP config file if
it exists.
Change-Id: I63b5a41eec8937ddbd5e8b4471936376602b6b0e
Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.com>
|
|
|
|
|
|
|
|
|
| |
The application implements the xyz.openbmc_project.User.Ldap.Config
and xyz.openbmc_project.User.Ldap.Create D-Bus interfaces to create
LDAP config file(for example generate nslcd.conf)
Change-Id: Idc7cc643c4143f9bc51182019926e1dd6125da2f
Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.com>
|
|
|
|
|
| |
Change-Id: Ib8979a7c655f74c332d80e7fb221ef03e9a3f83c
Signed-off-by: Tom Joseph <tomjoseph@in.ibm.com>
|
|
|
|
|
|
|
|
|
|
|
| |
The application implements the xyz.openbmc_project.User.PrivilegeMapper
D-Bus interface to configure privilege levels for LDAP groups. The Create
method is used to create privilege mapping for the LDAP group. D-Bus
object is created for each LDAP group and implements the D-Bus interface
xyz.openbmc_project.User.PrivilegeMapperEntry.
:
Change-Id: I20935229a8a79ce1e52a857672a6a0085cb5ace4
Signed-off-by: Tom Joseph <tomjoseph@in.ibm.com>
|
|
|
|
|
|
|
| |
Update configure.ac to choose the c++17 standard
Change-Id: I50e860687ee7b1e98c12f01e83acaad13c1fb2a9
Signed-off-by: Vernon Mauery <vernon.mauery@linux.intel.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix to include user id 0 in users list of user manager service.
This enables to list out the user present in /etc/passwd file
even if it is root user with user id 0.
Unit test:
1. Made sure phosphor-user-manager service loads successfully
2. It listed root user / any user already present in /etc/passwd file.
Change-Id: I060d9581b7f433411e313b745d9d1b32e8680b7d
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
User home directory fixups, needed for SSH to work
properly. With this patch, home directory is created
for all users created and deleted, when users are removed.
Test:
Performed user creation, deletion test case and made sure
it is properly reflected in user manager and in ipmi.
Change-Id: If7d79c67784191e0cccb3f6c22f4e191fd0bbc84
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
|
|
|
|
|
|
|
|
|
| |
This fixes issue, which may end up adding "," in the groups
list, when privilege is empty. Allow adding privilege to the
groups list only when it is not empty
Change-Id: I42607c4835547eda4989f85521148a2716bedcb6
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
|
|
|
|
|
|
|
|
| |
Basic support for User Manager service methods
are implemented.
Change-Id: Id42432ec6dd421b99971268add931dcd70876f7c
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
|
|
|
|
|
|
|
|
| |
Adding Richard Thomaiyar as reviewer for phosphor-user-manager
repository.
Change-Id: Ief4f56ecdcc0455e865360937760256507648429
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
|
|
|
|
|
| |
Change-Id: I1e43c36c5590b95243bde0feeb04e3b525f9e88a
Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
|
|
|
|
|
|
|
|
|
| |
Do not rely on randomString() for tempShadowFile, as it uses '/' in random
set, and cause file creation error. Also, it's safe to use mkstemp to create
temp shadow file with random name suffixing shadow file name.
Change-Id: I0b80cc6d7c002e732e22f660e50b0701acac15fe
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
|
|
|
|
|
|
|
| |
Fixes openbmc/openbmc#1714
Change-Id: I51964f16fc2ea733ee3b3ae822f72ac7b431189a
Signed-off-by: Vishwanatha Subbanna <vishwa@linux.vnet.ibm.com>
|
|
|
|
|
| |
Change-Id: I78112212b0f436c6d3b05cb1f16015c2d6bb5089
Signed-off-by: Vishwanatha Subbanna <vishwa@linux.vnet.ibm.com>
|
|
|
|
|
| |
Change-Id: Ida7c1aba6f17ac6f006f159d08e2638808f3a54c
Signed-off-by: Vishwanatha Subbanna <vishwa@linux.vnet.ibm.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Password field of a user in /etc/shadow contains 3 parts:
[Crypt algorithm, Salt, encrypted password]
Example: A value of "1" in crypt algorithm maps to MD5
Need to use the same crypt algorithm that is already used
before when the new password is to be updated.
Change-Id: Ib7d8e0ad6f3bcce30f5c2be89b4e033230c07bf4
Signed-off-by: Vishwanatha Subbanna <vishwa@linux.vnet.ibm.com>
|
|
|
|
|
| |
Change-Id: I336078f5de8a16d3ffeef095c4067d652fea6512
Signed-off-by: Vishwanatha Subbanna <vishwa@linux.vnet.ibm.com>
|
|
|
|
|
|
|
| |
provides a minimal implementation of Password.interface
Change-Id: I3041b6425b76f931dbb8d7e4b7d192e98d70aa23
Signed-off-by: Vishwanatha Subbanna <vishwa@linux.vnet.ibm.com>
|
|
|
|
|
| |
Change-Id: I4f95a8baf9348d9ed9b7e8b6b53a7a4e538b045e
Signed-off-by: Vishwanatha Subbanna <vishwa@linux.vnet.ibm.com>
|
|
|