169419bafSAndrew Jeffery# openbmctool Documentation 269419bafSAndrew Jeffery 369419bafSAndrew JefferyThis provides documentation beyond what is in the tool's help text. 469419bafSAndrew Jeffery 569419bafSAndrew Jeffery## Connecting to a system 669419bafSAndrew Jeffery 7*e310dd91SPatrick WilliamsAn IP address or hostname, password, and username are required for connecting to 8*e310dd91SPatrick Williamsa BMC. 969419bafSAndrew Jeffery 1069419bafSAndrew JefferyThese are passed in with the following options: 11*e310dd91SPatrick Williams 1269419bafSAndrew Jeffery- `-H`: The hostname or IP for the BMC 13*e310dd91SPatrick Williams- `-U`: The username One of the password options: 1469419bafSAndrew Jeffery- `-P`: The password, provided in-line 1569419bafSAndrew Jeffery- `-A`: Prompt for a password 16*e310dd91SPatrick Williams- `-E`: Take the password from envvar `OPENBMCTOOL_PASSWORD` 1769419bafSAndrew Jeffery 1869419bafSAndrew Jeffery## Enabling and Disabling Local BMC User Accounts 1969419bafSAndrew Jeffery 20*e310dd91SPatrick WilliamsThe local user accounts on the BMC, such as root, can be disabled, queried, and 21*e310dd91SPatrick Williamsre-enabled with the `local_users` sub-command. 2269419bafSAndrew Jeffery 23*e310dd91SPatrick WilliamsImportant: After disabling local users, an LDAP user will need to be used for 24*e310dd91SPatrick Williamsfurther interaction with the BMC, including if using openbmctool to enable local 25*e310dd91SPatrick Williamsusers again. 2669419bafSAndrew Jeffery 2769419bafSAndrew JefferyTo view current local user account status: 28*e310dd91SPatrick Williams 29*e310dd91SPatrick Williams```sh 3069419bafSAndrew Jefferyopenbmctool <connection options> local_users queryenabled 3169419bafSAndrew Jeffery``` 3269419bafSAndrew Jeffery 3369419bafSAndrew JefferyTo disable all local user accounts: 34*e310dd91SPatrick Williams 35*e310dd91SPatrick Williams```sh 3669419bafSAndrew Jefferyopenbmctool <connection options> local_users disableall 3769419bafSAndrew Jeffery``` 3869419bafSAndrew Jeffery 3969419bafSAndrew JefferyTo re-enable all local user accounts: 40*e310dd91SPatrick Williams 41*e310dd91SPatrick Williams```sh 4269419bafSAndrew Jefferyopenbmctool <connection options> local_users enableall 4369419bafSAndrew Jeffery``` 4469419bafSAndrew Jeffery 4569419bafSAndrew Jeffery## Remote logging via rsyslog 4669419bafSAndrew Jeffery 47*e310dd91SPatrick WilliamsThe BMC has the ability to stream out local logs (that go to the systemd 48*e310dd91SPatrick Williamsjournal) via [rsyslog](https://www.rsyslog.com/). 4969419bafSAndrew Jeffery 5069419bafSAndrew JefferyThe BMC will send everything. Any kind of filtering and appropriate storage will 5169419bafSAndrew Jefferyhave to be managed on the rsyslog server. Various examples are available on the 5269419bafSAndrew Jefferyinternet. Here are few pointers: 53*e310dd91SPatrick Williams 54*e310dd91SPatrick Williams- <https://www.rsyslog.com/storing-and-forwarding-remote-messages/> 55*e310dd91SPatrick Williams- <https://www.rsyslog.com/doc/rsyslog%255Fconf%255Ffilter.html> 56*e310dd91SPatrick Williams- <https://www.thegeekdiary.com/understanding-rsyslog-filter-options/> 5769419bafSAndrew Jeffery 5869419bafSAndrew Jeffery### Configuring rsyslog server for remote logging 5969419bafSAndrew Jeffery 60*e310dd91SPatrick Williams```sh 6169419bafSAndrew Jefferyopenbmctool <connection options> logging remote_logging_config -a <IP address> -p <port> 6269419bafSAndrew Jeffery``` 6369419bafSAndrew Jeffery 64*e310dd91SPatrick WilliamsThe IP address and port to be provided are of the remote rsyslog server. Once 65*e310dd91SPatrick Williamsthis command is run, the remote rsyslog server will start receiving logs from 66*e310dd91SPatrick Williamsthe BMC. 6769419bafSAndrew Jeffery 68*e310dd91SPatrick WilliamsHostname can be specified instead of IP address, if DNS is configured on the 69*e310dd91SPatrick WilliamsBMC. 7069419bafSAndrew Jeffery 7169419bafSAndrew Jeffery### Disabling remote logging 7269419bafSAndrew Jeffery 73*e310dd91SPatrick Williams```sh 7469419bafSAndrew Jefferyopenbmctool <connection options> logging remote_logging disable 7569419bafSAndrew Jeffery``` 7669419bafSAndrew Jeffery 7769419bafSAndrew JefferyIt is recommended to disable remote logging before switching remote logging from 78*e310dd91SPatrick Williamsan existing remote server to a new one (i.e before re-running the 79*e310dd91SPatrick Williams`remote_logging_config` option). 8069419bafSAndrew Jeffery 8169419bafSAndrew Jeffery### Querying remote logging config 8269419bafSAndrew Jeffery 83*e310dd91SPatrick Williams```sh 8469419bafSAndrew Jefferyopenbmctool <connection options> logging remote_logging view 8569419bafSAndrew Jeffery``` 8669419bafSAndrew Jeffery 8769419bafSAndrew JefferyThis will print out the configured remote rsyslog server's IP address and port, 8869419bafSAndrew Jefferyin JSON format. 8969419bafSAndrew Jeffery 9069419bafSAndrew Jeffery## BMC Certificate management 9169419bafSAndrew Jeffery 92*e310dd91SPatrick WilliamsCertificate management allows replacing the existing certificate and private key 93*e310dd91SPatrick Williamsfile with another (possibly certification Authority (CA) signed) certificate and 94*e310dd91SPatrick Williamsprivate key file. Certificate management allows the user to install server, 95*e310dd91SPatrick Williamsclient and root certificates. 9669419bafSAndrew Jeffery 9769419bafSAndrew Jeffery### Update HTTPS server certificate 98*e310dd91SPatrick Williams 99*e310dd91SPatrick Williams```sh 10069419bafSAndrew Jefferyopenbmctool <connection options> certificate update server https -f <File> 10169419bafSAndrew Jeffery``` 102*e310dd91SPatrick Williams 10369419bafSAndrew JefferyFile: The [PEM](https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail) file 10469419bafSAndrew Jefferycontaining both certificate and private key. 10569419bafSAndrew Jeffery 10669419bafSAndrew Jeffery### Update LDAP client certificate 107*e310dd91SPatrick Williams 108*e310dd91SPatrick Williams```sh 10969419bafSAndrew Jefferyopenbmctool <connection options> certificate update client ldap -f <File> 11069419bafSAndrew Jeffery``` 111*e310dd91SPatrick Williams 11269419bafSAndrew JefferyFile: The PEM file containing both certificate and private key. 11369419bafSAndrew Jeffery 11469419bafSAndrew Jeffery### Update LDAP root certificate 115*e310dd91SPatrick Williams 116*e310dd91SPatrick Williams```sh 11769419bafSAndrew Jefferyopenbmctool <connection options> certificate update authority ldap -f <File> 11869419bafSAndrew Jeffery``` 119*e310dd91SPatrick Williams 12069419bafSAndrew JefferyFile: The PEM file containing only certificate. 12169419bafSAndrew Jeffery 12269419bafSAndrew Jeffery### Delete HTTPS server certificate 123*e310dd91SPatrick Williams 124*e310dd91SPatrick Williams```sh 12569419bafSAndrew Jefferyopenbmctool <connection options> certificate delete server https 12669419bafSAndrew Jeffery``` 127*e310dd91SPatrick Williams 12869419bafSAndrew JefferyDeleting a certificate will create a new self-signed certificate and will 12969419bafSAndrew Jefferyinstall the same. 13069419bafSAndrew Jeffery 13169419bafSAndrew Jeffery### Delete LDAP client certificate 132*e310dd91SPatrick Williams 133*e310dd91SPatrick Williams```sh 13469419bafSAndrew Jefferyopenbmctool <connection options> certificate delete client ldap 13569419bafSAndrew Jeffery``` 13669419bafSAndrew Jeffery 13769419bafSAndrew Jeffery### Delete LDAP root certificate 138*e310dd91SPatrick Williams 139*e310dd91SPatrick Williams```sh 14069419bafSAndrew Jefferyopenbmctool <connection options> certificate delete authority ldap 14169419bafSAndrew Jeffery``` 142*e310dd91SPatrick Williams 14369419bafSAndrew JefferyDeleting the root certificate can cause an LDAP service outage. Please refer to 14469419bafSAndrew Jefferythe LDAP documentation before using this command. 14569419bafSAndrew Jeffery 14669419bafSAndrew Jeffery## BMC LDAP Configuration 14769419bafSAndrew Jeffery 148*e310dd91SPatrick WilliamsIn BMC, LDAP is used for remote authentication. BMC doesn't support remote 149*e310dd91SPatrick Williamsuser-management functionality. 15069419bafSAndrew Jeffery 15169419bafSAndrew JefferyBMC supports secure/non-secure LDAP configuration. 15269419bafSAndrew Jeffery 15369419bafSAndrew Jeffery### Create LDAP Configuration 15469419bafSAndrew Jeffery 15569419bafSAndrew Jeffery#### NonSecure 15669419bafSAndrew Jeffery 157*e310dd91SPatrick Williams```sh 158*e310dd91SPatrick Williamsopenbmctool.py <connection options> ldap enable --uri="ldap://<ldap server IP/hostname>" --bindDN=<bindDN> --baseDN=<basDN> --bindPassword=<bindPassword> --scope="sub/one/base" --serverType="OpenLDAP/ActiveDirectory" 15969419bafSAndrew Jeffery``` 160*e310dd91SPatrick Williams 16169419bafSAndrew JefferyNOTE: configuring FQDN (fully qualified domain name/ hostname) in the "uri" 16269419bafSAndrew Jefferyparameter requires that DNS server be configured on the BMC. 16369419bafSAndrew Jeffery 16469419bafSAndrew JefferyNOTE: Currently, openbmctool doesn't support configuring the DNS server on the 16569419bafSAndrew JefferyBMC. 16669419bafSAndrew Jeffery 16769419bafSAndrew Jeffery#### Secure 16869419bafSAndrew Jeffery 169*e310dd91SPatrick Williams```sh 170*e310dd91SPatrick Williamsopenbmctool.py <connection options> ldap enable --uri="ldaps://<ldap server IP/hostname>" --bindDN=<bindDN> --baseDN=<basDN> --bindPassword=<bindPassword> --scope="sub/one/base" --serverType="OpenLDAP/ActiveDirectory" 17169419bafSAndrew Jeffery``` 172*e310dd91SPatrick Williams 173*e310dd91SPatrick WilliamsNOTE: a) It is quite common to encounter the following error when running the 17469419bafSAndrew Jefferyopenbmctool.py command string shown above: 17569419bafSAndrew Jeffery 176*e310dd91SPatrick Williams`xyz.openbmc_project.Common.Error.NoCACertificate` 17769419bafSAndrew Jeffery 17869419bafSAndrew JefferyThis error means that the BMC client needs to verify that the LDAP server's 17969419bafSAndrew Jefferycertificate has been signed by a known CA. The service action would be for the 18069419bafSAndrew Jefferyadmin to upload the CA certificate to the BMC. 18169419bafSAndrew Jeffery 18269419bafSAndrew JefferyTo upload the CA certificate to the BMC, refer to the "Update LDAP root 18369419bafSAndrew Jefferycertificate" section of this document. 18469419bafSAndrew Jeffery 185*e310dd91SPatrick Williamsb) openbmctool doesn't support individual LDAP config property update, To update 186*e310dd91SPatrick Williamsa single property user need to recreate the LDAP config with the changed values. 18769419bafSAndrew Jeffery 18869419bafSAndrew Jeffery### Delete/Erase LDAP Configuration 18969419bafSAndrew Jeffery 190*e310dd91SPatrick Williams```sh 191*e310dd91SPatrick Williamsopenbmctool.py <connection options> ldap disable 19269419bafSAndrew Jeffery``` 193*e310dd91SPatrick Williams 19469419bafSAndrew JefferyNOTE: Make sure that root user is enabled before running the above command 19569419bafSAndrew Jefferyotherwise BMC would not be accessible. 19669419bafSAndrew Jeffery 197*e310dd91SPatrick WilliamsTo enable root user, refer to the "To re-enable all local user accounts" section 198*e310dd91SPatrick Williamsof this document. 19969419bafSAndrew Jeffery 20069419bafSAndrew JefferyCurrently openbmctool doesn't have support for specific user enablement. 20169419bafSAndrew Jeffery 20269419bafSAndrew Jeffery### Add privilege mapping 20369419bafSAndrew Jeffery 204*e310dd91SPatrick Williams```sh 20569419bafSAndrew Jefferyopenbmctool.py <connection options> ldap privilege-mapper create --groupName=<groupName> --privilege="priv-admin/priv-user" 20669419bafSAndrew Jeffery``` 20769419bafSAndrew Jeffery 20869419bafSAndrew Jeffery### Delete privilege mapping 20969419bafSAndrew Jeffery 210*e310dd91SPatrick Williams```sh 21169419bafSAndrew Jefferyopenbmctool.py <connection options> ldap privilege-mapper delete --groupName=<groupName> 21269419bafSAndrew Jeffery``` 21369419bafSAndrew Jeffery 21469419bafSAndrew Jeffery### List privilege mapping 21569419bafSAndrew Jeffery 216*e310dd91SPatrick Williams```sh 21769419bafSAndrew Jefferyopenbmctool.py <connection options> ldap privilege-mapper list 21869419bafSAndrew Jeffery``` 21969419bafSAndrew Jeffery 22069419bafSAndrew JefferyThe normal workflow for LDAP configuration would be as shown below 22169419bafSAndrew Jeffery 22269419bafSAndrew Jeffery- Configure the DNS server. 223*e310dd91SPatrick Williams- Configure LDAP. a) Configure CA certificate if secure LDAP server is being 224*e310dd91SPatrick Williams configured. b) Create LDAP Configuration with local user. 22569419bafSAndrew Jeffery- Configure user privilege. 22669419bafSAndrew Jeffery 22769419bafSAndrew JefferyNOTE: 22869419bafSAndrew Jeffery 22969419bafSAndrew Jefferya) If a user tries to login with LDAP credentials and has not added the 23069419bafSAndrew Jefferyprivilege mapping for the LDAP credentials then the user will get the following 23169419bafSAndrew Jefferyhttp error code and message. 23269419bafSAndrew Jeffery 23369419bafSAndrew Jeffery403, 'LDAP group privilege mapping does not exist'. 23469419bafSAndrew Jeffery 23569419bafSAndrew JefferyAction: Add the privilege (refer to the section "Add privilege mapping") 23669419bafSAndrew Jeffery 237*e310dd91SPatrick Williamsb) The following message may mean that the user lacks the required privileges on 238*e310dd91SPatrick Williamsthe BMC: "Insufficient Privilege" 23969419bafSAndrew Jeffery 24069419bafSAndrew JefferyAction: Add the privilege (refer to the section "Add privilege mapping") with 24169419bafSAndrew Jefferyprivilege=priv-admin 24269419bafSAndrew Jeffery 243*e310dd91SPatrick Williamsc) Once LDAP is set up, openbmctool connection options work with both LDAP and 244*e310dd91SPatrick Williamslocal users. 245