LDAP groups and roles mapping - Alexander A. Filippov

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Alexander A. Filippov" <a.filippov@yadro.com>
To: <openbmc@lists.ozlabs.org>
Subject: LDAP groups and roles mapping
Date: Mon, 10 Jan 2022 17:12:46 +0300	[thread overview]
Message-ID: <Ydw+3uYSqK44CTHq@nbwork.lan> (raw)

Our customers want LDAP groups and roles mapping working not only by primary
group, but also by the membership in one of these groups.
And this requirement seems to me reasonable.

As I can see in the code of phosphor-user-manager it can be easily solved by
searching the user name in the group members list that already received by the
`getgrnam` function. But I have doubts - wasn't this restriction done
intentionally?

And the second thing that seems to me wrong in current state:
Any LDAP user can log in into the WebUI even if he isn't in one of the mapped
groups. Yes, he receives a lot of messages about unauthorized access in this
case, but some functionality is still available to him.
For example: KVM and SOL (It's the websocket's restriction).

It seems to me the best solution is adding the roles mapping checking to the
PAM level and restrict the access for users with `no-access` role that is the
default role. But it will be look like a code duplicity because the such check
is still required in the BMCWeb.

Maybe I miss something?

--
Alexander

next             reply	other threads:[~2022-01-10 14:13 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-01-10 14:12 Alexander A. Filippov [this message]
2022-01-10 14:40 ` LDAP groups and roles mapping Paul Fertser
2022-01-10 15:56   ` Alexander A. Filippov
2022-01-10 21:00     ` Paul Fertser
2022-02-10 10:24 ` Alexander A. Filippov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Ydw+3uYSqK44CTHq@nbwork.lan \
    --to=a.filippov@yadro.com \
    --cc=openbmc@lists.ozlabs.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.