Support uploading multiple certificates for ldap configuration

This code change regards replacing a path to CA file with directory
location holding multiple CA files within it.

Implementation assum

Support uploading multiple certificates for ldap configuration

This code change regards replacing a path to CA file with directory
location holding multiple CA files within it.

Implementation assumes that one can still define TLS_CACERT_FILE as
either a single CA file or directory location.
Depending if the path points to a file or a directory a proper
value will be set in /etc/nslcd.conf

This code change depends on another change requests:
https://gerrit.openbmc-project.xyz/c/openbmc/meta-phosphor/+/25987
https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-certificate-manager/+/23348

Tested:
Manually tested, all changes propagate properly to
/etc/nslcd.conf file.
Unit Tests are passing.

Signed-off-by: Zbigniew Kurzynski <zbigniew.kurzynski@intel.com>
Depends-On: Icd33723c1fc2580679aaaf54b3e99dfb09342402
Depends-On: Ia02c552eb27744e45ccfff3b3a1232d10e65da74
Change-Id: I85dabd4841018f04b0b9e9b58dca9579e7ff1999

show more ...

User Mgr: Fix to populate secureLDAP variable while
deserializing based on ldap URI.

Issue is if secureLdap flag isn't populated during deserialize
we see missing nslcd.conf parameters for secure LD

User Mgr: Fix to populate secureLDAP variable while
deserializing based on ldap URI.

Issue is if secureLdap flag isn't populated during deserialize
we see missing nslcd.conf parameters for secure LDAP,due to
which restart nslcd fails.

Tested by:
1.Configure Secure LDAP
2.Login with ldap user
3.reboot, test login with ldap user
4.Conifgure Secure LDAP with same URI
5.login with ldap user
Tested non secure ldap as well.

Signed-off-by: Ravi Teja <raviteja28031990@gmail.com>
Change-Id: I31baed446d5155c4bc4a00524a212bd1e565009d

show more ...

phosphor-ldap-conf: handle "InterfaceAdded" signal on the ldap cert object

When LDAP client certificate is uploaded through install method on the
cert object, Object would emit the signal "Interface

phosphor-ldap-conf: handle "InterfaceAdded" signal on the ldap cert object

When LDAP client certificate is uploaded through install method on the
cert object, Object would emit the signal "InterfaceAdded".
Upon receiving the signal, Config file would be updated with
below given info if secure ldap is enabled:
tls_cert <path client certificate file>
tls_key <path to client certificate file>

Tested By: Unit Tested

Signed-off-by: Ratan Gupta <ratagupt@linux.vnet.ibm.com>
Change-Id: I54b3e116af1b8a9057d91797d4074d39efc65bb0

show more ...

User Mgr: Update GetUserInfo to read ldap user privilege

Without this fix privilege mapping was fetched from the standalone
mapper application. Now with the recent changes privilege
mapping is part

User Mgr: Update GetUserInfo to read ldap user privilege

Without this fix privilege mapping was fetched from the standalone
mapper application. Now with the recent changes privilege
mapping is part of the config object itself.

This fix is to address that change.

TestedBy:
1.Added privilege mapper for ldap user and
then GetUserInfo for ldap user and verified
if privilege is correct.
2.Created local user and verified local user info
through GetUserInfo and check privilege.

Signed-off-by: Ravi Teja <raviteja28031990@gmail.com>
Change-Id: Ie149cc1ef46370a899aa8312ce17448b6c00c0e9

show more ...

Adding unit test for priv mapping

Now privilege mapping is under the config object so adding the
unit test wrt to config.

Signed-off-by: Ratan Gupta <ratagupt@linux.vnet.ibm.com>
Change-Id: I00f03c

Adding unit test for priv mapping

Now privilege mapping is under the config object so adding the
unit test wrt to config.

Signed-off-by: Ratan Gupta <ratagupt@linux.vnet.ibm.com>
Change-Id: I00f03c9d54b4953e1665539b5cd2053ef82b0d51

show more ...

Create role mapping under ldap config object

Each ldap config object should be have its own
mapping object.

This is to align with the redfish.
https://redfish.dmtf.org/schemas/AccountService.v1_4_0

Create role mapping under ldap config object

Each ldap config object should be have its own
mapping object.

This is to align with the redfish.
https://redfish.dmtf.org/schemas/AccountService.v1_4_0.json

As per redfish, Each config will have it's own
"RemoteRoleMapping".

Mapping object should be persisted and restores
when the phosphor-ldap-conf restarts.

TestedBy:
Unit Tested.
Creation of privilege mapping.
Persist the priv-mapping.
Restores the priv-mapping.

Signed-off-by: Ratan Gupta <ratagupt@linux.vnet.ibm.com>
Change-Id: I5ab4aeffae61f9cc57c1338f94784d0fe5607cd3

show more ...

Conditional enable the ldap configuration

If any of the existing ldap config(openldap/AD) is
already enabled,The other ldap configuration can't be
enabled.

TestedBy: Unit-Tested

Tested t

Conditional enable the ldap configuration

If any of the existing ldap config(openldap/AD) is
already enabled,The other ldap configuration can't be
enabled.

TestedBy: Unit-Tested

Tested the above behaviour.It throws the
error back if try to enable the configuration
when there is already active configuration.

If there is no active configuration then it
allows to enable the configuration.

Signed-off-by: Ratan Gupta <ratagupt@linux.vnet.ibm.com>
Change-Id: I5b6008036152cd36e5422bb372a05c8a3ec3d24b

show more ...

Serialize the config objects

This commit serializes the config object into cereal
path and restores the config object when the phosphor-ldap-conf
restarts.

TestedBy: Unit tested
Serialize

Serialize the config objects

This commit serializes the config object into cereal
path and restores the config object when the phosphor-ldap-conf
restarts.

TestedBy: Unit tested
Serialize the object
Restart the phosphor-ldap-conf restores the object.
Ldap/Local authentication works fine.

Signed-off-by: Ratan Gupta <ratagupt@linux.vnet.ibm.com>
Change-Id: Ie6e940ddd6851085dc4213677dfb20e3afa0964f

show more ...

Write the config data into the nslcd.conf file

In Config object we have the property enabled, when
it is true then write that config object into nslcd.conf

TestedBy: Unit tested

Signed-off-by: Rat

Write the config data into the nslcd.conf file

In Config object we have the property enabled, when
it is true then write that config object into nslcd.conf

TestedBy: Unit tested

Signed-off-by: Ratan Gupta <ratagupt@linux.vnet.ibm.com>
Change-Id: I0c7bcf0f6557adb9314c94768b1adac39459fbe4

show more ...

Implement unit test for getUserInfo function
in phosphor-user-manager

added testcases
1.unit test for ldap entry does not exist
2.unit test for local user.
3.unit test for ldap user with privilege m

Implement unit test for getUserInfo function
in phosphor-user-manager

added testcases
1.unit test for ldap entry does not exist
2.unit test for local user.
3.unit test for ldap user with privilege mapper entry
4.unit test for ldap user without privilege mapper entry

gerrit link for getUserInfo function
https://gerrit.openbmc-project.xyz/#/c/openbmc/phosphor-user-manager/+/18132/

Change-Id: Idfd7e1ffeb8acfebab590c8c5fd6adc9bcf218dc
Signed-off-by: Ravi Teja <raviteja28031990@gmail.com>

show more ...

Create the default object for openldap and AD.

This commit introduces the following functionalities
=> Default AD and openldap config object would always be there.
=> User should not be able to chan

Create the default object for openldap and AD.

This commit introduces the following functionalities
=> Default AD and openldap config object would always be there.
=> User should not be able to change the type of the ldap
once it is created.

This change is to align with redfish sehema
(https://redfish.dmtf.org/schemas/AccountService.v1_4_0.json),
In the schema AD and LDAP is a property which user can PATCH,
Now with the current code which doesn't have the default config
so for the PATCH, We were forcing the user to give all the
properties and then create the object which is against the
PATCH semantics.

TestedBy: Unit tested
Default Object gets created when service starts.
change of ldap type gets the error back.

Signed-off-by: Ratan Gupta <ratagupt@linux.vnet.ibm.com>
Change-Id: I0ce951a13ee525df022fb0716f0aea10d1909781

show more ...

Change the name of the files to make it align with other filenames

TestedBy: Unit-Tested

Signed-off-by: Ratan Gupta <ratagupt@linux.vnet.ibm.com>
Change-Id: I657962e8cb06b083877321e27cd0c94644e1ebcb

Create separate file for ConfigMgr class

As the ldap_configuration.cpp was getting long
so it is good to create the seprate file for
ConfigMgr.

TestedBy:
Ran the unit test.

Signed-off-by:

Create separate file for ConfigMgr class

As the ldap_configuration.cpp was getting long
so it is good to create the seprate file for
ConfigMgr.

TestedBy:
Ran the unit test.

Signed-off-by: Ratan Gupta <ratagupt@linux.vnet.ibm.com>
Change-Id: I312a9f423d4ab3ca4ebd5f17193f7b02162ded6b

show more ...

LDAP Config: Extend the support to change the BindDNPassword

Before this commit we don't allow the user to change the bind
DN password as our REST API was the mirror of the D-bus API.

Now with the

LDAP Config: Extend the support to change the BindDNPassword

Before this commit we don't allow the user to change the bind
DN password as our REST API was the mirror of the D-bus API.

Now with the introduction of Redfish, where we have to give the
support for changing the bind dn password.

With this fix, set property on the d-bus object would update the
underlying ldap config file but wouldn't update the D-bus object due
to security issue.

Signed-off-by: Ratan Gupta <ratagupt@linux.vnet.ibm.com>
Change-Id: I6072820185cd540fe44850b90a4f6c256c44471c

show more ...

Removing unused SetPassword D-Bus API method

Password update is done through pam_chauthtok() API,
and don't use SetPassword. Removing the unused code.

Tested-by:
N/A.

Change-Id: I42a5b7c73bc2cb240

Removing unused SetPassword D-Bus API method

Password update is done through pam_chauthtok() API,
and don't use SetPassword. Removing the unused code.

Tested-by:
N/A.

Change-Id: I42a5b7c73bc2cb2404801df1c1cd057a94a1a924
Signed-off-by: Sumanth Bhat <sumanth.bhat@intel.com>
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>

show more ...

LDAP: Add the persistency for the "Enabled" property

This property will control that whether the LDAP service would
be started or not.

We are persisting this property using cereal, other properties

LDAP: Add the persistency for the "Enabled" property

This property will control that whether the LDAP service would
be started or not.

We are persisting this property using cereal, other properties
is being persisted through nslcd.conf, nslcd doesn't give us
a way to put this property under nslcd.conf.

Tested By:
Test the persistency of enabled property.
Verified that it was getting persisted across restart/reboot.

Change-Id: Id64b23b71865bac15d3be2d79abad615aa576bea
Signed-off-by: Ratan Gupta <ratagupt@linux.vnet.ibm.com>

show more ...

squash the following commits

LDAP: Adding support for extra properties
Implement GetUserInfo function in phosphor-user-manager

Squashing the commits due to phosphor-dbus-interfaces
dependency as th

squash the following commits

LDAP: Adding support for extra properties
Implement GetUserInfo function in phosphor-user-manager

Squashing the commits due to phosphor-dbus-interfaces
dependency as the interface gets merged and it requires implementation
so it is a deadlock for both the commits.

Implement GetUserInfo function in phosphor-user-manager

There was need to have api which return privilege for ldap user.
it was discussed in this commit
https://gerrit.openbmc-project.xyz/#/c/openbmc/phosphor-dbus-interfaces/+/12027/
and decided to have generic api.

-Checks if user is local user, then returns map of properties of
local user like user privilege,list of user groups,user enabled
state and user locked state.

-If its not local user, then it checks if its a ldap user,
then get the privilege mapping for the LDAP group and returns.

TestedBy: 1) getUserInfo with local user
verify user details.
2) getUserInfo with ldap user having privilege mapper
entry, verify user details.
3) getUserInfo with no existing user.
check for exception UserNameDoesNotExist.

Change-Id: I44af41953db60ff96b39498d72839c2ab64bc8bd
Signed-off-by: raviteja-b <raviteja28031990@gmail.com>

LDAP: Adding support for extra properties

This commit also decouple the ldap service(nslcd) start
with each property update,Now there is a D-bus property
ldap service enabled which controls that whether the LDAP
service will be restarted after each property update,so now user
have an option to disable the ldap service and do multi-
property update and then enable the service again.

TestedBy: 1) Create the config with new added properties
Verify that it was getting reflected on the D-bus object.
2) After making the change restarted the ldap-conf service
Verify that new properties(usernameattr,groupnameattr) are correctly updated.
3) Authenticaton test
Verify that LDAP authentication worked fine.
4) Set the enabled property to true
Verify that it starts the nslcd service
5) Set the enabled property to false
Verify that it stops the nslcd.service
6) Set the enabled property to true and change any other config property
Verify that it starts the nslcd.service
7) Set the enabled property to false which stops the nslcd service
and change any other config property.
Verify that it doesn't start the nslcd service.

Change-Id: Ie3ca04a2adbbb1fe113764199348c4f7ac67f648
Signed-off-by: Ratan Gupta <ratagupt@linux.vnet.ibm.com>

show more ...

Add unit tests for ldap mapper application

Change-Id: I2d75a4f2e27f6e6640e8a16cc7834116b260f547
Signed-off-by: Tom Joseph <tomjoseph@in.ibm.com>

phosphor-ldap-conf: nslcd restart service getting called twice

In the createconfig path nslcd restart service is getting called twice
in a row, which not needed.

Change-Id: Ib60d43110815758360aa6f0

phosphor-ldap-conf: nslcd restart service getting called twice

In the createconfig path nslcd restart service is getting called twice
in a row, which not needed.

Change-Id: Ib60d43110815758360aa6f0de0478ad784cf5a5a
Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.com>

show more ...

React to nsswitch config file changes

There's just one nsswitch config file now (instead of a default, an
_linux and an _ldap). Make fixes in code relevant to this.

Change-Id: I92362aac7a1f5e034cea

React to nsswitch config file changes

There's just one nsswitch config file now (instead of a default, an
_linux and an _ldap). Make fixes in code relevant to this.

Change-Id: I92362aac7a1f5e034cea06e9299f7e574dc2fab9
Signed-off-by: Deepak Kodihalli <dkodihal@in.ibm.com>
Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.com>

show more ...

phosphor-ldap-conf: update nslcd.conf file with tls_cacertfile info

tls_cacertfile specifies the path to the X.509 certificate for
peer authentication.

Also updated the file with "tls_reqcert hard"

phosphor-ldap-conf: update nslcd.conf file with tls_cacertfile info

tls_cacertfile specifies the path to the X.509 certificate for
peer authentication.

Also updated the file with "tls_reqcert hard", to force the
behavior: if no certificate is provided, or a bad certificate
is provided, the session is immediately terminated.

Tested: tested using below given commands
1.curl -c cjar -b cjar -k -H "Content-Type: application/json" -X POST -d \
'{"data":[true,"ldaps://<host_ip>/","cn=<user-id>,dc=Corp,dc=ibm,dc=com",\
"cn=Users,dc=Corp,dc=ibm,dc=com", "<password>",\
"xyz.openbmc_project.User.Ldap.Create.SearchScope.sub",\
"xyz.openbmc_project.User.Ldap.Create.Type.ActiveDirectory"] \
}' https://$BMC_IP//xyz/openbmc_project/user/ldap/action/CreateConfig

2.curl -b cjar -k -H "Content-Type: application/json" -X PUT -d '{"data":true}'\
https://$BMC_IP/xyz/openbmc_project/user/ldap/config/attr/SecureLDAP

3.curl -b cjar -k -H "Content-Type: application/json" -X PUT -d \
'{"data":"ldap://<host_ip>/"}' \
https://$BMC_IP/xyz/openbmc_project/ldap/config/attr/LDAPServerURI

when "/etc/ssl/certs/Root-CA.pem" doesn't exist on target, we get below
given exception(if we try to set SecureLDAP is true):
"DBusException: xyz.openbmc_project.Common.Error.NoCACertificate: \
Server's CA certificate has not been provided."

Change-Id: I56ffe8b08bb71307b4f2bfe9cf935b6113e4579a
Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.com>
Signed-off-by: Deepak Kodihalli <dkodihal@in.ibm.com>
Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.com>

show more ...

phosphor-ldap-conf: add unit tests

Added uinit tests to create and to restore config file.

Change-Id: Idf5231d46542cda1ff84241aa67aadd91a4788d6
Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.co

phosphor-ldap-conf: add unit tests

Added uinit tests to create and to restore config file.

Change-Id: Idf5231d46542cda1ff84241aa67aadd91a4788d6
Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.com>
Signed-off-by: Deepak Kodihalli <dkodihal@in.ibm.com>
Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.com>

show more ...

Basic support for User manager service

Basic support for User Manager service methods
are implemented.

Change-Id: Id42432ec6dd421b99971268add931dcd70876f7c
Signed-off-by: Richard Marian Thomaiyar <

Basic support for User manager service

Basic support for User Manager service methods
are implemented.

Change-Id: Id42432ec6dd421b99971268add931dcd70876f7c
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>

show more ...

Fix to use mkstemp for temp shadow file creation

Do not rely on randomString() for tempShadowFile, as it uses '/' in random
set, and cause file creation error. Also, it's safe to use mkstemp to crea

Fix to use mkstemp for temp shadow file creation

Do not rely on randomString() for tempShadowFile, as it uses '/' in random
set, and cause file creation error. Also, it's safe to use mkstemp to create
temp shadow file with random name suffixing shadow file name.

Change-Id: I0b80cc6d7c002e732e22f660e50b0701acac15fe
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>

show more ...

Add GTEST cases

Fixes openbmc/openbmc#1714

Change-Id: I51964f16fc2ea733ee3b3ae822f72ac7b431189a
Signed-off-by: Vishwanatha Subbanna <vishwa@linux.vnet.ibm.com>