LDAP: start or stop nslcd on service starting

`nslcd` service should be started only if there is a valid endpoint.
This commit adds a call that starts or stops `nslcd.service` after
the Dbus objects

LDAP: start or stop nslcd on service starting

`nslcd` service should be started only if there is a valid endpoint.
This commit adds a call that starts or stops `nslcd.service` after
the Dbus objects has been deserialized, depending by the presence of
enabled endpoint.

Tested:
1. Made sure `nslcd` is stopped by default.
2. Added a configuration for AD/LDAP endpoint and made sure `nslcd`
is started.
3. Rebooted BMC and made sure `nslcd` is started.

Change-Id: I06d91cb450e92bdfb12c4f65dce4e250113ab461
Signed-off-by: Alexander Filippov <a.filippov@yadro.com>

show more ...

exception: switch to public sdbus exception

SdBusError was intended to be a private error type inside sdbusplus.
Switch all catch locations to use the general sdbusplus::exception type.

Signed-off-

exception: switch to public sdbus exception

SdBusError was intended to be a private error type inside sdbusplus.
Switch all catch locations to use the general sdbusplus::exception type.

Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I8af15372ca11b8400044fc24d4880ea9fd00f3da

show more ...

cleanup sdbus CAMELCASE define

The transition from e6500a493a156dd58a92b384c77aef2cbd3addac is
complete, so clean up the old defines.

Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id:

cleanup sdbus CAMELCASE define

The transition from e6500a493a156dd58a92b384c77aef2cbd3addac is
complete, so clean up the old defines.

Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I016e6044eb3821c22cd568c75098b804cd2e02e9

show more ...

MAINTAINERS: Replace IRC by DISCORD

Discord is becoming the chat server of choice.

Signed-off-by: Ratan Gupta <ratankgupta31@gmail.com>
Change-Id: I1c7cad5961e4ed2fa345a50bb7466f04350cc0ed

MAINTAINERS: Change Ratan's email address

Signed-off-by: Ratan Gupta <ratankgupta31@gmail.com>
Change-Id: I3ee90a79dc61f796b9983107ae70375d928863a8

Supply service & busconfig ACLs from the repo.

This change required as a part of privilege separation work:
https://github.com/openbmc/openbmc/issues/3383

This change required by the following op

Supply service & busconfig ACLs from the repo.

This change required as a part of privilege separation work:
https://github.com/openbmc/openbmc/issues/3383

This change required by the following openbmc meta change:
https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/42672

Signed-off-by: Anton D. Kachalov <gmouse@google.com>
Change-Id: Iad476fc32f9df6fe5ceb51e8eea2c798dcc51252

show more ...

shadowlock: disable until proper unit tests are run

Commit 8eb5397b fixed an issue where the shadowlock objects were not
being created or used. That brought to light an issue with the
implementation

shadowlock: disable until proper unit tests are run

Commit 8eb5397b fixed an issue where the shadowlock objects were not
being created or used. That brought to light an issue with the
implementation of that class. For now, comment out the use of the
shadowlock to get us back to where we were prior to the commit and give
us some time to fix it and ensure all tests pass as expected.

See openbmc/phosphor-user-manager#10 for more details.

Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: I570dd6bd3a308e3608525f5e08182c6491fbb7a3

show more ...

fixing the ambiguous variable declaration

Object created with following semantic Widget obj(),
With most vexing parse, Compiler thinks it is
function declaration of obj which returns the
object of

fixing the ambiguous variable declaration

Object created with following semantic Widget obj(),
With most vexing parse, Compiler thinks it is
function declaration of obj which returns the
object of Widget class.

This commit fixes this ambiguity by creating an object
using braces{}

Signed-off-by: Ratan Gupta <ratankgupta31@gmail.com>
Change-Id: I8d442c3dfd07d68a93fae46ec782774a1efb72ad

show more ...

use new sdbus++ camelcase

Change I17a8d7479556596a3cf252b3f4eae9c8df547189 will change
how sdbus++ generates names which start with an acronym.
Prepare for this by keying off the SDBUSPP_NEW_CAMELCA

use new sdbus++ camelcase

Change I17a8d7479556596a3cf252b3f4eae9c8df547189 will change
how sdbus++ generates names which start with an acronym.
Prepare for this by keying off the SDBUSPP_NEW_CAMELCASE
define to use the new format.

Changes:
lDAP* -> ldap*

Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: Idc0c2f33974d684d311b329806cac1a6235edc02

show more ...

bootstrap: fix shellcheck warnings

Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I86ef079c9632e5563a1a56d6a2e23aad59ecbc57

clang-format-11: reformat

The .clang-format file here is an old version of the common one.
Upgrade to the latest and reformat.

Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I0d532a

clang-format-11: reformat

The .clang-format file here is an old version of the common one.
Upgrade to the latest and reformat.

Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I0d532aa88d650e9c7664e07abfc8c4fdf0dd3df4

show more ...

c++17: drop experimental::filesystem

Use std::filesystem, and drop support for building with experimental
under c++14.

Tested: Build the repo.
Change-Id: I4af0d9c034dbfef5a65153ba5447b86c961aebf1
S

c++17: drop experimental::filesystem

Use std::filesystem, and drop support for building with experimental
under c++14.

Tested: Build the repo.
Change-Id: I4af0d9c034dbfef5a65153ba5447b86c961aebf1
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>

show more ...

Treat pwd is not set if no entry in shadow for usr

There are situations (mostly manipulated), when user entry is present
in /etc/password, but not in /etc/shadow. Even though user can’t login
withou

Treat pwd is not set if no entry in shadow for usr

There are situations (mostly manipulated), when user entry is present
in /etc/password, but not in /etc/shadow. Even though user can’t login
without proper entry in /etc/shadow, it is a valid user and password
update is only required

Tested:
1. Manually removed a user entry in /etc/shadow
2. Restarted phosphor-user-manager service
3. Made sure user is listed, and able to update the password through
ipmitool set password command
4. Queried the user entry again and confirmed PasswordExpired is
returned as false.

Signed-off-by: Jayaprakash Mutyala <mutyalax.jayaprakash@intel.com>
Change-Id: I818be9a63121448210a99c175005708788279963

show more ...

Avoid LDAP lookups for local groups

Currently we see LDAP lookups for all local groups with openLDAP
and Active Directory configuration.

this commit updates config with "nss_initgroups_ignoreusers

Avoid LDAP lookups for local groups

Currently we see LDAP lookups for all local groups with openLDAP
and Active Directory configuration.

this commit updates config with "nss_initgroups_ignoreusers ALLLOCAL"
this option filters out all LDAP lookups for all local groups.

update LDAP config with nss_initgroups_ignoreusers ALLLOCAL
while creating configuration for openLDAP and active directory.

Signed-off-by: Ravi Teja <raviteja28031990@gmail.com>
Change-Id: I547a59d4d26a087503375ce18d90e6492ec73103

show more ...

UserManager: Fix unit test cases

User_mgr and ldap_mapper testcases are failing with D-bus errors.
This commit fixes both testcases by using mocked sdbus.

Signed-off-by: Ravi Teja <raviteja28031990

UserManager: Fix unit test cases

User_mgr and ldap_mapper testcases are failing with D-bus errors.
This commit fixes both testcases by using mocked sdbus.

Signed-off-by: Ravi Teja <raviteja28031990@gmail.com>
Change-Id: I3fcabeb1781c938affa11a1370b107d628242374

show more ...

Update .gitignore for generated libtool file

Signed-off-by: Zhenfei Tai <ztai@google.com>
Change-Id: Ib5a2523699d90b7700170b4e40b9225349e230dd

Add missed option definition - root user mgmt.

Added missed option definition to enable / disable managing
root user under phosphor-user-manager. Default root user is managed
by phosphor-user-manage

Add missed option definition - root user mgmt.

Added missed option definition to enable / disable managing
root user under phosphor-user-manager. Default root user is managed
by phosphor-user-manager, but can be disbaled if needed.

Tested:
1. Verified that root user is listed as an object,
in default build
2. Verified that root user is not listed as an object with
EXTRA_OECONF += "--disable-root_user_mgmt"

Change-Id: Iaf677f36b7cc28b67977881235bd72915943b372
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>

show more ...

[CI fix]: Clang format related fix

Add AfterCaseLabel to the clang-format file

Change-Id: I96c6741ec32e05a1ac36337db434917f79a60e40
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar

[CI fix]: Clang format related fix

Add AfterCaseLabel to the clang-format file

Change-Id: I96c6741ec32e05a1ac36337db434917f79a60e40
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>

show more ...

sdbusplus: replace message::variant with std::variant

Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: If20545ad78b4b813e7bba0909c99fa7156a00c96

sdbusplus: remove deprecated variant_ns

Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I6114c160d823de58e39cb4252ca5ae635de99ea0

Add UserPasswordExpired for local users

Adds a new UserPasswordExpired property to local User.Attributes which
represents if the account's password is expired and must be changed.
The value correspo

Add UserPasswordExpired for local users

Adds a new UserPasswordExpired property to local User.Attributes which
represents if the account's password is expired and must be changed.
The value corresponds to the `chage` command.

Note this is distinct from UserLockedForFailedAttempt which represents
a locked account due to unsuccessful authentication atttempts.

Tested: Via busctl
- Checked local and LDAP users.
- Expired password via `passwd --expire USER`.
- Aged password via `chage USER`.
- Changed password via REST API and via the `passwd USER` command.

Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net>
Change-Id: I44585559509a422bb91c83a2a853c1a033594350

show more ...

LDAP: add support for privilege priv-noaccess

This commit adds support to ldap privilege role map configuration
for 'priv-noaccess'

Signed-off-by: raviteja-b <raviteja28031990@gmail.com>
Change-Id:

LDAP: add support for privilege priv-noaccess

This commit adds support to ldap privilege role map configuration
for 'priv-noaccess'

Signed-off-by: raviteja-b <raviteja28031990@gmail.com>
Change-Id: Ia28da61ee3f3bad8e2e233efd220266586713f4d

show more ...

Add option to enable / disable root user mgmt.

Provided option to enable / disable managing root user
under phosphor-user-manager. Default root user is managed
by phosphor-user-manager, but can be d

Add option to enable / disable root user mgmt.

Provided option to enable / disable managing root user
under phosphor-user-manager. Default root user is managed
by phosphor-user-manager, but can be disbaled if needed.

Tested:
1. Verified that root user is listed as an object,
in default build
2. Verified that root user is not listed as an object with
EXTRA_OECONF += "--disable-root_user_mgmt"

Change-Id: I5efdf99746739e8ae77e78056893ee5f635364ea
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>

show more ...

Remove priv-callback support

callback privilege must be used only with ipmi modem callback
connection. As OpenBMC doesn't support, and for other interfaces
this shouldn't allow the login, it has bee

Remove priv-callback support

callback privilege must be used only with ipmi modem callback
connection. As OpenBMC doesn't support, and for other interfaces
this shouldn't allow the login, it has been decided to deprecate
the priv-callback permanently. Refer
https://gerrit.openbmc-project.xyz/#/c/openbmc/docs/+/26839/
Existing user with callback privilege will be automatically rolled
as No-Access priviliege user.

Tested
1. Verified that AllPrivileges property doesn't show priv-callback
2. Verified that redfish roles doesn't list callback
3. Verified if there are any user in this list already existing in the
system, and after update user was properly shown with No-Access privilege

Change-Id: I7b37d0134e3a335df121b35ad3cd4c88cc00536b
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>

show more ...

Support uploading multiple certificates for ldap configuration

This code change regards replacing a path to CA file with directory
location holding multiple CA files within it.

Implementation assum

Support uploading multiple certificates for ldap configuration

This code change regards replacing a path to CA file with directory
location holding multiple CA files within it.

Implementation assumes that one can still define TLS_CACERT_FILE as
either a single CA file or directory location.
Depending if the path points to a file or a directory a proper
value will be set in /etc/nslcd.conf

This code change depends on another change requests:
https://gerrit.openbmc-project.xyz/c/openbmc/meta-phosphor/+/25987
https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-certificate-manager/+/23348

Tested:
Manually tested, all changes propagate properly to
/etc/nslcd.conf file.
Unit Tests are passing.

Signed-off-by: Zbigniew Kurzynski <zbigniew.kurzynski@intel.com>
Depends-On: Icd33723c1fc2580679aaaf54b3e99dfb09342402
Depends-On: Ia02c552eb27744e45ccfff3b3a1232d10e65da74
Change-Id: I85dabd4841018f04b0b9e9b58dca9579e7ff1999

show more ...