Corrected the error log message.

Change-Id: I682dda32c0482e0849289a70d5b3ffa624bb915d
Signed-off-by: Ratan Gupta <ratagupt@linux.vnet.ibm.com>

MAINTAINERS: Remove myself, add Ratan and Richard

I haven't written any code in this project, and I haven't been able
allocate much time to peer review either so it doesn't make any sense
for me to

MAINTAINERS: Remove myself, add Ratan and Richard

I haven't written any code in this project, and I haven't been able
allocate much time to peer review either so it doesn't make any sense
for me to be a maintainer.

Richard and Ratan both have written code in PUM, been active in peer
review, and know a lot about the overall user management implementation
in OpenBMC. Richard and Ratan will both provide timely and quality
feedback to PUM contributors, so it makes a lot of sense for them to
co-maintain PUM in place of Brad.

Change-Id: I72b9c471f2c42b4b962de4ecc040d6c8489ee21f
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>

show more ...

build: pkg anti-pattern: use defaults

Use the defaults in the pkg check where the default error message is
sufficient to identify which package is missing.

Change-Id: I09cf1888ea4f41b5c22d18d72b169

build: pkg anti-pattern: use defaults

Use the defaults in the pkg check where the default error message is
sufficient to identify which package is missing.

Change-Id: I09cf1888ea4f41b5c22d18d72b169d2ca32fc339
Signed-off-by: Patrick Venture <venture@google.com>

show more ...

Remove output user name comparison for pam_tally2

pam_tally2 output restricts printing user name to 15 characters
This makes the extra precautionary user name comparison to fail
causing system to fa

Remove output user name comparison for pam_tally2

pam_tally2 output restricts printing user name to 15 characters
This makes the extra precautionary user name comparison to fail
causing system to fail inadvertently. Hence removed the
precautionary condition, as user name is passed to pam_tally2
as argument

Unit test:
Added user name of 16 characters or more and tried querying
the user locked for failed attempt, and got successful data

Change-Id: I889c423324e53e4c554e9dce772a39f1843803b2
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>

show more ...

Add unit tests for ldap mapper application

Change-Id: I2d75a4f2e27f6e6640e8a16cc7834116b260f547
Signed-off-by: Tom Joseph <tomjoseph@in.ibm.com>

Refactor mapper application to enable unit tests

Change-Id: I58cac8879f93ce49bfb654a1bf559d7f77b5b486
Signed-off-by: Tom Joseph <tomjoseph@in.ibm.com>

Add readme for user manager

This document presently have the various REST commands related to
configuration of LDAP on the BMC.

Change-Id: I0c1be4692b546bb591378f73bc992d6c742c3bc1
Signed-off-by: R

Add readme for user manager

This document presently have the various REST commands related to
configuration of LDAP on the BMC.

Change-Id: I0c1be4692b546bb591378f73bc992d6c742c3bc1
Signed-off-by: Ratan Gupta <ratagupt@in.ibm.com>
Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.com>

show more ...

phosphor-ldap-conf: nslcd restart service getting called twice

In the createconfig path nslcd restart service is getting called twice
in a row, which not needed.

Change-Id: Ib60d43110815758360aa6f0

phosphor-ldap-conf: nslcd restart service getting called twice

In the createconfig path nslcd restart service is getting called twice
in a row, which not needed.

Change-Id: Ib60d43110815758360aa6f0de0478ad784cf5a5a
Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.com>

show more ...

React to nsswitch config file changes

There's just one nsswitch config file now (instead of a default, an
_linux and an _ldap). Make fixes in code relevant to this.

Change-Id: I92362aac7a1f5e034cea

React to nsswitch config file changes

There's just one nsswitch config file now (instead of a default, an
_linux and an _ldap). Make fixes in code relevant to this.

Change-Id: I92362aac7a1f5e034cea06e9299f7e574dc2fab9
Signed-off-by: Deepak Kodihalli <dkodihal@in.ibm.com>
Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.com>

show more ...

phosphor-ldap-conf: update nslcd.conf file with tls_cacertfile info

tls_cacertfile specifies the path to the X.509 certificate for
peer authentication.

Also updated the file with "tls_reqcert hard"

phosphor-ldap-conf: update nslcd.conf file with tls_cacertfile info

tls_cacertfile specifies the path to the X.509 certificate for
peer authentication.

Also updated the file with "tls_reqcert hard", to force the
behavior: if no certificate is provided, or a bad certificate
is provided, the session is immediately terminated.

Tested: tested using below given commands
1.curl -c cjar -b cjar -k -H "Content-Type: application/json" -X POST -d \
'{"data":[true,"ldaps://<host_ip>/","cn=<user-id>,dc=Corp,dc=ibm,dc=com",\
"cn=Users,dc=Corp,dc=ibm,dc=com", "<password>",\
"xyz.openbmc_project.User.Ldap.Create.SearchScope.sub",\
"xyz.openbmc_project.User.Ldap.Create.Type.ActiveDirectory"] \
}' https://$BMC_IP//xyz/openbmc_project/user/ldap/action/CreateConfig

2.curl -b cjar -k -H "Content-Type: application/json" -X PUT -d '{"data":true}'\
https://$BMC_IP/xyz/openbmc_project/user/ldap/config/attr/SecureLDAP

3.curl -b cjar -k -H "Content-Type: application/json" -X PUT -d \
'{"data":"ldap://<host_ip>/"}' \
https://$BMC_IP/xyz/openbmc_project/ldap/config/attr/LDAPServerURI

when "/etc/ssl/certs/Root-CA.pem" doesn't exist on target, we get below
given exception(if we try to set SecureLDAP is true):
"DBusException: xyz.openbmc_project.Common.Error.NoCACertificate: \
Server's CA certificate has not been provided."

Change-Id: I56ffe8b08bb71307b4f2bfe9cf935b6113e4579a
Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.com>
Signed-off-by: Deepak Kodihalli <dkodihal@in.ibm.com>
Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.com>

show more ...

phosphor-ldap-conf: add unit tests

Added uinit tests to create and to restore config file.

Change-Id: Idf5231d46542cda1ff84241aa67aadd91a4788d6
Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.co

phosphor-ldap-conf: add unit tests

Added uinit tests to create and to restore config file.

Change-Id: Idf5231d46542cda1ff84241aa67aadd91a4788d6
Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.com>
Signed-off-by: Deepak Kodihalli <dkodihal@in.ibm.com>
Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.com>

show more ...

phosphor-ldap-conf: Make correction in renaming path of nsswitch.conf

By default nscd comes with nsswitch.conf, we had one more file for the
ldap specific version, and we copy the content from the l

phosphor-ldap-conf: Make correction in renaming path of nsswitch.conf

By default nscd comes with nsswitch.conf, we had one more file for the
ldap specific version, and we copy the content from the ldap nsswitch
to the nsswitch.conf once LDAP config object gets created/deleted.

We had some inconsistency during restarting of services so thought of
clean logic where we would be having two files nsswitch_linux/nsswitch_ldap
and when ldap config object gets created we copy the nsswitch_ldap to
nsswitch.conf and when it gets deleted then copy the nsswitch_linux
to nsswitch.conf

Change-Id: I5a0af3ec82dd08fc54c7423fda1a80509769872d
Signed-off-by: Ratan Gupta <ratagupt@in.ibm.com>
Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.com>

show more ...

phosphor-ldap-conf: Don't create the LDAP config object

During restore path(i.e while phosphor-ldap-conf service restarts) after
parsing the file if any of the LDAP parameter(BindDN,BaseDN,URI) is
h

phosphor-ldap-conf: Don't create the LDAP config object

During restore path(i.e while phosphor-ldap-conf service restarts) after
parsing the file if any of the LDAP parameter(BindDN,BaseDN,URI) is
having empty value then don't create the LDAP config
object.
Before this commit the config object was not being created but
it throws a unnecessary log in the journal due to creation
of errorlog.
In restore path we don't want the errorlog.

This commit fixes the problem of creating unnecesary log in
the journal.

Change-Id: I074fe96a6c6382bc2d31e91df1275756b57c1045
Signed-off-by: Ratan Gupta <ratagupt@in.ibm.com>
Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.com>

show more ...

phosphor-ldap-conf: Don't map the uid with cn for openLDAP

User residing on the openLDAP server havibg the uid and the
cn attribute so no need to map the uid with cn.

Change-Id: Ie1ef9798191831d0b5

phosphor-ldap-conf: Don't map the uid with cn for openLDAP

User residing on the openLDAP server havibg the uid and the
cn attribute so no need to map the uid with cn.

Change-Id: Ie1ef9798191831d0b532b310960115c5dd8a1b33
Signed-off-by: Ratan Gupta <ratagupt@in.ibm.com>

show more ...

phosphor-ldap-conf: update nslcd.conf file for OpenLdap

update the config file with "filter group (objectclass=posixGroup)"
for OpenLdap.

Change-Id: I4a0a4693294745391d58d7ee9158c75468637f36
Signed

phosphor-ldap-conf: update nslcd.conf file for OpenLdap

update the config file with "filter group (objectclass=posixGroup)"
for OpenLdap.

Change-Id: I4a0a4693294745391d58d7ee9158c75468637f36
Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.com>

show more ...

phosphor-ldap-conf: validate LDAP Server URI

Validates given URI.
Also updates secureLDAP property based on given URI. If URI is of LDAPS type,
secureLDAP is set to true, else it is set to false.

C

phosphor-ldap-conf: validate LDAP Server URI

Validates given URI.
Also updates secureLDAP property based on given URI. If URI is of LDAPS type,
secureLDAP is set to true, else it is set to false.

Change-Id: If96495c01a8bd911d255267ffbbbff7f28fa070b
Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.com>

show more ...

ldap-config: remove Bindpassword and secureLDAP property from the interface

This is a reaction to below given phosphor-dbus-interfaces changes
https://gerrit.openbmc-project.xyz/#/c/openbmc/phosphor

ldap-config: remove Bindpassword and secureLDAP property from the interface

This is a reaction to below given phosphor-dbus-interfaces changes
https://gerrit.openbmc-project.xyz/#/c/openbmc/phosphor-dbus-interfaces/+/14595/.
and
https://gerrit.openbmc-project.xyz/#/c/openbmc/phosphor-dbus-interfaces/+/14718/

Change-Id: Id427d718b6fcc9b90dfb3bccb3b4cc665a107c46
Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.com>
Signed-off-by: Deepak Kodihalli <dkodihal@in.ibm.com>
Signed-off-by: Ratan Gupta <ratagupt@linux.vnet.ibm.com>

show more ...

phosphor-ldap-conf: change the permissions of the nslcd.conf file

If bindDN password is being written in the file then
change the permission of the file to 640 so that it is
not world readable.

If

phosphor-ldap-conf: change the permissions of the nslcd.conf file

If bindDN password is being written in the file then
change the permission of the file to 640 so that it is
not world readable.

If bindDN password is not written then permission would
be 644 which is default.

Change-Id: I567285ad75e18c2a38c37918d3d3a5e61b0b39ea
Signed-off-by: Ratan Gupta <ratagupt@in.ibm.com>
Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.com>

show more ...

phosphor-ldap-conf: add support for anonymous bind

Add "bindpw <password>" entry into nslcd.conf file only
if given password is not null.

Change-Id: Ifa4a90c6fd41d5b36c62328dcf3e9bfc38dd0ebb
Signed

phosphor-ldap-conf: add support for anonymous bind

Add "bindpw <password>" entry into nslcd.conf file only
if given password is not null.

Change-Id: Ifa4a90c6fd41d5b36c62328dcf3e9bfc38dd0ebb
Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.com>

show more ...

user_mgr: throw original exception

[user_mgr.cpp:696]: (style) Throwing a copy of the caught exception
instead of rethrowing the original exception.
[user_mgr.cpp:923]: (style) Throwing a copy of th

user_mgr: throw original exception

[user_mgr.cpp:696]: (style) Throwing a copy of the caught exception
instead of rethrowing the original exception.
[user_mgr.cpp:923]: (style) Throwing a copy of the caught exception
instead of rethrowing the original exception.
[user_mgr.cpp:949]: (style) Throwing a copy of the caught exception
instead of rethrowing the original exception.
[user_mgr.cpp:974]: (style) Throwing a copy of the caught exception
instead of rethrowing the original exception.
[user_mgr.cpp:999]: (style) Throwing a copy of the caught exception
instead of rethrowing the original exception.

Change-Id: I57243acf997c248b38f52926c0a8dd525b32cc90
Signed-off-by: Patrick Venture <venture@google.com>

show more ...

Add support for user locked state property

Support for user locked state property using
pam_tally2 application added.

Change-Id: Ia77ff6527c15c93ac272110950e99fff56dcbaa6
Signed-off-by: Richard Mar

Add support for user locked state property

Support for user locked state property using
pam_tally2 application added.

Change-Id: Ia77ff6527c15c93ac272110950e99fff56dcbaa6
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>

show more ...

Support for password & security configuration

Support for password & security enforcement configuration added.
Implements the D-Bus interface properties to read and configure
minimum password length

Support for password & security configuration

Support for password & security enforcement configuration added.
Implements the D-Bus interface properties to read and configure
minimum password length, old password remember history, unlock
timeout and maximum login attempt.

Change-Id: I1a462a8a5d1f5dd07f3b594d62bd9c61bbdddb9c
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>

show more ...

phosphor-ldap-conf: add support for validation of parameters

Validate LDAP Server's URI, BaseDN and BindBN.

Change-Id: If754e17c238069e04c9e1e8735a28d54dbf221cb
TODO: Unit tests will be added in su

phosphor-ldap-conf: add support for validation of parameters

Validate LDAP Server's URI, BaseDN and BindBN.

Change-Id: If754e17c238069e04c9e1e8735a28d54dbf221cb
TODO: Unit tests will be added in subsequent commits.
Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.com>

show more ...

phosphor-ldap-conf: switch between config files while enabling/disabling LDAP

While creating LDAP configuration take a backup of existing config files
and restore them when LDAP configuration is dis

phosphor-ldap-conf: switch between config files while enabling/disabling LDAP

While creating LDAP configuration take a backup of existing config files
and restore them when LDAP configuration is disabled.

Change-Id: Id37138107311a56c5066bc66137a2d55e1e23099
Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.com>

show more ...

phosphor-ldap-conf: Implement the Delete interface

Implement the xyz.openbmc_project.Object.Delete interface
to delete LDAP config object.

Change-Id: Ia7413fd10c91ad5c79286fbe4a00740ced42aad6
Signe

phosphor-ldap-conf: Implement the Delete interface

Implement the xyz.openbmc_project.Object.Delete interface
to delete LDAP config object.

Change-Id: Ia7413fd10c91ad5c79286fbe4a00740ced42aad6
Signed-off-by: Nagaraju Goruganti <ngorugan@in.ibm.com>

show more ...