[pam]: Restrict local user auth to redfish grp Restrict bmcweb local user authentication to redfish group only. This change makes sure that user without having redfish group user is not authenticated to query the details, and login will fail. Tested: 1. Verified by removing the redfish group role for a valid user and confirmed redfish session establishment fails using postman. 2. This will not change the behavior for ldap user. Change-Id: I5e1b495028c8d143381bcc91cafd756a12ffb1d9 Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>

commit: d6d59a65c334f0040177ffb3ab87f9b512a72cad [log] [tgz]
author: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com> Thu May 28 11:23:41 2020 +0530
committer: Ratan Gupta <ratagupt@linux.vnet.ibm.com> Mon Jun 08 12:24:34 2020 +0000
tree: 1ae64e30d048cd0b2fc5ffa41b41e8de30f3cbe4
parent: f8ede15e7ffc7ecc70429fa1ef53c13c95181910 [diff] [blame]
diff --git a/pam-webserver b/pam-webserver
index 473b922..a5e7af4 100644
--- a/pam-webserver
+++ b/pam-webserver

@@ -1,5 +1,8 @@
 #%PAM-1.0
 
 auth     include  common-auth
+# skip redfish group check for non-local user (ldap)
+auth     [success=ok perm_denied=1 default=ignore] pam_localuser.so
+auth     required pam_succeed_if.so user ingroup redfish
 account  include  common-account
 password include  common-password
commit	d6d59a65c334f0040177ffb3ab87f9b512a72cad	[log] [tgz]
author	Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>	Thu May 28 11:23:41 2020 +0530
committer	Ratan Gupta <ratagupt@linux.vnet.ibm.com>	Mon Jun 08 12:24:34 2020 +0000
tree	1ae64e30d048cd0b2fc5ffa41b41e8de30f3cbe4
parent	f8ede15e7ffc7ecc70429fa1ef53c13c95181910 [diff] [blame]