cleanup sdbus CAMELCASE define

The transition from e6500a493a156dd58a92b384c77aef2cbd3addac is
complete, so clean up the old defines.

Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id:

cleanup sdbus CAMELCASE define

The transition from e6500a493a156dd58a92b384c77aef2cbd3addac is
complete, so clean up the old defines.

Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I016e6044eb3821c22cd568c75098b804cd2e02e9

show more ...

use new sdbus++ camelcase

Change I17a8d7479556596a3cf252b3f4eae9c8df547189 will change
how sdbus++ generates names which start with an acronym.
Prepare for this by keying off the SDBUSPP_NEW_CAMELCA

use new sdbus++ camelcase

Change I17a8d7479556596a3cf252b3f4eae9c8df547189 will change
how sdbus++ generates names which start with an acronym.
Prepare for this by keying off the SDBUSPP_NEW_CAMELCASE
define to use the new format.

Changes:
lDAP* -> ldap*

Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: Idc0c2f33974d684d311b329806cac1a6235edc02

show more ...

clang-format-11: reformat

The .clang-format file here is an old version of the common one.
Upgrade to the latest and reformat.

Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I0d532a

clang-format-11: reformat

The .clang-format file here is an old version of the common one.
Upgrade to the latest and reformat.

Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I0d532aa88d650e9c7664e07abfc8c4fdf0dd3df4

show more ...

c++17: drop experimental::filesystem

Use std::filesystem, and drop support for building with experimental
under c++14.

Tested: Build the repo.
Change-Id: I4af0d9c034dbfef5a65153ba5447b86c961aebf1
S

c++17: drop experimental::filesystem

Use std::filesystem, and drop support for building with experimental
under c++14.

Tested: Build the repo.
Change-Id: I4af0d9c034dbfef5a65153ba5447b86c961aebf1
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>

show more ...

Avoid LDAP lookups for local groups

Currently we see LDAP lookups for all local groups with openLDAP
and Active Directory configuration.

this commit updates config with "nss_initgroups_ignoreusers

Avoid LDAP lookups for local groups

Currently we see LDAP lookups for all local groups with openLDAP
and Active Directory configuration.

this commit updates config with "nss_initgroups_ignoreusers ALLLOCAL"
this option filters out all LDAP lookups for all local groups.

update LDAP config with nss_initgroups_ignoreusers ALLLOCAL
while creating configuration for openLDAP and active directory.

Signed-off-by: Ravi Teja <raviteja28031990@gmail.com>
Change-Id: I547a59d4d26a087503375ce18d90e6492ec73103

show more ...

sdbusplus: replace message::variant with std::variant

Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: If20545ad78b4b813e7bba0909c99fa7156a00c96

LDAP: add support for privilege priv-noaccess

This commit adds support to ldap privilege role map configuration
for 'priv-noaccess'

Signed-off-by: raviteja-b <raviteja28031990@gmail.com>
Change-Id:

LDAP: add support for privilege priv-noaccess

This commit adds support to ldap privilege role map configuration
for 'priv-noaccess'

Signed-off-by: raviteja-b <raviteja28031990@gmail.com>
Change-Id: Ia28da61ee3f3bad8e2e233efd220266586713f4d

show more ...

Remove priv-callback support

callback privilege must be used only with ipmi modem callback
connection. As OpenBMC doesn't support, and for other interfaces
this shouldn't allow the login, it has bee

Remove priv-callback support

callback privilege must be used only with ipmi modem callback
connection. As OpenBMC doesn't support, and for other interfaces
this shouldn't allow the login, it has been decided to deprecate
the priv-callback permanently. Refer
https://gerrit.openbmc-project.xyz/#/c/openbmc/docs/+/26839/
Existing user with callback privilege will be automatically rolled
as No-Access priviliege user.

Tested
1. Verified that AllPrivileges property doesn't show priv-callback
2. Verified that redfish roles doesn't list callback
3. Verified if there are any user in this list already existing in the
system, and after update user was properly shown with No-Access privilege

Change-Id: I7b37d0134e3a335df121b35ad3cd4c88cc00536b
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>

show more ...

Support uploading multiple certificates for ldap configuration

This code change regards replacing a path to CA file with directory
location holding multiple CA files within it.

Implementation assum

Support uploading multiple certificates for ldap configuration

This code change regards replacing a path to CA file with directory
location holding multiple CA files within it.

Implementation assumes that one can still define TLS_CACERT_FILE as
either a single CA file or directory location.
Depending if the path points to a file or a directory a proper
value will be set in /etc/nslcd.conf

This code change depends on another change requests:
https://gerrit.openbmc-project.xyz/c/openbmc/meta-phosphor/+/25987
https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-certificate-manager/+/23348

Tested:
Manually tested, all changes propagate properly to
/etc/nslcd.conf file.
Unit Tests are passing.

Signed-off-by: Zbigniew Kurzynski <zbigniew.kurzynski@intel.com>
Depends-On: Icd33723c1fc2580679aaaf54b3e99dfb09342402
Depends-On: Ia02c552eb27744e45ccfff3b3a1232d10e65da74
Change-Id: I85dabd4841018f04b0b9e9b58dca9579e7ff1999

show more ...

User Mgr: Fix to populate secureLDAP variable while
deserializing based on ldap URI.

Issue is if secureLdap flag isn't populated during deserialize
we see missing nslcd.conf parameters for secure LD

User Mgr: Fix to populate secureLDAP variable while
deserializing based on ldap URI.

Issue is if secureLdap flag isn't populated during deserialize
we see missing nslcd.conf parameters for secure LDAP,due to
which restart nslcd fails.

Tested by:
1.Configure Secure LDAP
2.Login with ldap user
3.reboot, test login with ldap user
4.Conifgure Secure LDAP with same URI
5.login with ldap user
Tested non secure ldap as well.

Signed-off-by: Ravi Teja <raviteja28031990@gmail.com>
Change-Id: I31baed446d5155c4bc4a00524a212bd1e565009d

show more ...

Change the nslcd configuration based on CertificateString Property

- When ever replace client certificate method is called by the
certificate manager, it sends out a PropertyChange Signal which

Change the nslcd configuration based on CertificateString Property

- When ever replace client certificate method is called by the
certificate manager, it sends out a PropertyChange Signal which
will be captured by the phosphor-user-manager and inturn it re-writes
the configuration & restarts nslcd accordingly.

- The idea of this commit is to only consider the Property change on
CertificateString Property and write the configuration and not consider
the change in any other property under the same Interface.

TestedBy:
Tried replacing a new client certificate using bustcl call, and verified
that we write the configuration only when the CertificateString Property
is changed.

Signed-off-by: manojkiraneda <manojkiran.eda@gmail.com>
Change-Id: Id1392365127807d2069c391b8ccc2c4c0a9b7215

show more ...

phosphor-ldap-conf: handle "InterfaceAdded" signal on the ca-cert object

When ever a new ca-cert file is installed/changed(re-installed),
the certificate manager sends a Signal, which is caught by t

phosphor-ldap-conf: handle "InterfaceAdded" signal on the ca-cert object

When ever a new ca-cert file is installed/changed(re-installed),
the certificate manager sends a Signal, which is caught by the
phosphor-user-manager and the nslcd deamon will be restarted with
the appropriate ca-certfile.

TestedBy:
Installed a new ca-certificate using busctl command, and verified if the
phosphor-user-manager captured the InterfaceAdded signal there by updating
the nslcd configuration accordingly.

Signed-off-by: manojkiraneda <manojkiran.eda@gmail.com>
Change-Id: Iffc9b70435d819f6bdaee57970edc65f555ff42d

show more ...

UserMgr: Fix ldap config persistance issue

With exiting implementation during restart of the
phosphor-ldap-conf creates the default object and
restore the config data from the persistent path.
Due t

UserMgr: Fix ldap config persistance issue

With exiting implementation during restart of the
phosphor-ldap-conf creates the default object and
restore the config data from the persistent path.
Due to a bug while creating a default object it overrides
the persistent file and fails to load the configuration.
This commit fixes that issue.

Tested by:
1.Created LDAP config for openldap and AD
and verified config persisted after reboot

Signed-off-by: Ravi Teja <raviteja28031990@gmail.com>
Change-Id: I88d1d7a38aec9adc3336d14d14dbe9fbce79eac0

show more ...

phosphor-ldap-conf: handle "PropertiesChanged" signal on the ldap cert object

When LDAP client certificate is changed through Replace method on the cert object.
Object would emit the signal "Prope

phosphor-ldap-conf: handle "PropertiesChanged" signal on the ldap cert object

When LDAP client certificate is changed through Replace method on the cert object.
Object would emit the signal "PropertiesChanged". Upon receiving the
signal, config file would be updated with below given info if
secure ldap is enabled:
tls_cert <path client certificate file>
tls_key <path to client certificate file>

Tested By: Unit Tested

Signed-off-by: Ratan Gupta <ratagupt@linux.vnet.ibm.com>
Change-Id: I5347b13e0bf76742d39dc7a26c96ec5d4dd5a2c6

show more ...

phosphor-ldap-conf: handle "InterfaceAdded" signal on the ldap cert object

When LDAP client certificate is uploaded through install method on the
cert object, Object would emit the signal "Interface

phosphor-ldap-conf: handle "InterfaceAdded" signal on the ldap cert object

When LDAP client certificate is uploaded through install method on the
cert object, Object would emit the signal "InterfaceAdded".
Upon receiving the signal, Config file would be updated with
below given info if secure ldap is enabled:
tls_cert <path client certificate file>
tls_key <path to client certificate file>

Tested By: Unit Tested

Signed-off-by: Ratan Gupta <ratagupt@linux.vnet.ibm.com>
Change-Id: I54b3e116af1b8a9057d91797d4074d39efc65bb0

show more ...

Create role mapping under ldap config object

Each ldap config object should be have its own
mapping object.

This is to align with the redfish.
https://redfish.dmtf.org/schemas/AccountService.v1_4_0

Create role mapping under ldap config object

Each ldap config object should be have its own
mapping object.

This is to align with the redfish.
https://redfish.dmtf.org/schemas/AccountService.v1_4_0.json

As per redfish, Each config will have it's own
"RemoteRoleMapping".

Mapping object should be persisted and restores
when the phosphor-ldap-conf restarts.

TestedBy:
Unit Tested.
Creation of privilege mapping.
Persist the priv-mapping.
Restores the priv-mapping.

Signed-off-by: Ratan Gupta <ratagupt@linux.vnet.ibm.com>
Change-Id: I5ab4aeffae61f9cc57c1338f94784d0fe5607cd3

show more ...

Copying the files from the mapper to the config

It was needed as in the next commit we would be
generating the ldap priv mapping object under the
ldap config object.

This is to align with the redfi

Copying the files from the mapper to the config

It was needed as in the next commit we would be
generating the ldap priv mapping object under the
ldap config object.

This is to align with the redfish.
https://redfish.dmtf.org/schemas/AccountService.v1_4_0.json

As per redfish, Each config will have it's own
"RemoteRoleMapping".

TestedBy: Unit-tested
All existing test cases gets passed.

Signed-off-by: Ratan Gupta <ratagupt@linux.vnet.ibm.com>
Change-Id: Ibec2c0b809ce15e71bd3ed84a2d0efdad24f1d17

show more ...

Conditional enable the ldap configuration

If any of the existing ldap config(openldap/AD) is
already enabled,The other ldap configuration can't be
enabled.

TestedBy: Unit-Tested

Tested t

Conditional enable the ldap configuration

If any of the existing ldap config(openldap/AD) is
already enabled,The other ldap configuration can't be
enabled.

TestedBy: Unit-Tested

Tested the above behaviour.It throws the
error back if try to enable the configuration
when there is already active configuration.

If there is no active configuration then it
allows to enable the configuration.

Signed-off-by: Ratan Gupta <ratagupt@linux.vnet.ibm.com>
Change-Id: I5b6008036152cd36e5422bb372a05c8a3ec3d24b

show more ...

Serialize the config objects

This commit serializes the config object into cereal
path and restores the config object when the phosphor-ldap-conf
restarts.

TestedBy: Unit tested
Serialize

Serialize the config objects

This commit serializes the config object into cereal
path and restores the config object when the phosphor-ldap-conf
restarts.

TestedBy: Unit tested
Serialize the object
Restart the phosphor-ldap-conf restores the object.
Ldap/Local authentication works fine.

Signed-off-by: Ratan Gupta <ratagupt@linux.vnet.ibm.com>
Change-Id: Ie6e940ddd6851085dc4213677dfb20e3afa0964f

show more ...

Write the config data into the nslcd.conf file

In Config object we have the property enabled, when
it is true then write that config object into nslcd.conf

TestedBy: Unit tested

Signed-off-by: Rat

Write the config data into the nslcd.conf file

In Config object we have the property enabled, when
it is true then write that config object into nslcd.conf

TestedBy: Unit tested

Signed-off-by: Ratan Gupta <ratagupt@linux.vnet.ibm.com>
Change-Id: I0c7bcf0f6557adb9314c94768b1adac39459fbe4

show more ...

Don't allow to delete the config object

User should not be able to delete the default objects
which are AD and openpldap.

TestedBy: Unit tested.
Make sure that delete function is not ther

Don't allow to delete the config object

User should not be able to delete the default objects
which are AD and openpldap.

TestedBy: Unit tested.
Make sure that delete function is not there in the default objects.

Signed-off-by: Ratan Gupta <ratagupt@linux.vnet.ibm.com>
Change-Id: I51f11792e842fe964740123c40f9301a3b444786

show more ...

Create the default object for openldap and AD.

This commit introduces the following functionalities
=> Default AD and openldap config object would always be there.
=> User should not be able to chan

Create the default object for openldap and AD.

This commit introduces the following functionalities
=> Default AD and openldap config object would always be there.
=> User should not be able to change the type of the ldap
once it is created.

This change is to align with redfish sehema
(https://redfish.dmtf.org/schemas/AccountService.v1_4_0.json),
In the schema AD and LDAP is a property which user can PATCH,
Now with the current code which doesn't have the default config
so for the PATCH, We were forcing the user to give all the
properties and then create the object which is against the
PATCH semantics.

TestedBy: Unit tested
Default Object gets created when service starts.
change of ldap type gets the error back.

Signed-off-by: Ratan Gupta <ratagupt@linux.vnet.ibm.com>
Change-Id: I0ce951a13ee525df022fb0716f0aea10d1909781

show more ...

Change the name of the files to make it align with other filenames

TestedBy: Unit-Tested

Signed-off-by: Ratan Gupta <ratagupt@linux.vnet.ibm.com>
Change-Id: I657962e8cb06b083877321e27cd0c94644e1ebcb

Create separate file for ConfigMgr class

As the ldap_configuration.cpp was getting long
so it is good to create the seprate file for
ConfigMgr.

TestedBy:
Ran the unit test.

Signed-off-by:

Create separate file for ConfigMgr class

As the ldap_configuration.cpp was getting long
so it is good to create the seprate file for
ConfigMgr.

TestedBy:
Ran the unit test.

Signed-off-by: Ratan Gupta <ratagupt@linux.vnet.ibm.com>
Change-Id: I312a9f423d4ab3ca4ebd5f17193f7b02162ded6b

show more ...

LDAP Config: Extend the support to change the BindDNPassword

Before this commit we don't allow the user to change the bind
DN password as our REST API was the mirror of the D-bus API.

Now with the

LDAP Config: Extend the support to change the BindDNPassword

Before this commit we don't allow the user to change the bind
DN password as our REST API was the mirror of the D-bus API.

Now with the introduction of Redfish, where we have to give the
support for changing the bind dn password.

With this fix, set property on the d-bus object would update the
underlying ldap config file but wouldn't update the D-bus object due
to security issue.

Signed-off-by: Ratan Gupta <ratagupt@linux.vnet.ibm.com>
Change-Id: I6072820185cd540fe44850b90a4f6c256c44471c

show more ...