Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / docs / 3dc71f31b8cfb3476636245f1751d4c0fb0f653d^! / .
commit3dc71f31b8cfb3476636245f1751d4c0fb0f653d[log] [tgz]
authorRAJESWARAN THILLAIGOVINDAN <rajeswgo@in.ibm.com>Thu Aug 23 17:07:47 2018 +0530
committerGunnar Mills <gmills@us.ibm.com>Tue Oct 22 02:55:30 2019 +0000
tree54c63e0282ba2f2b8c15ea8a8fbd029ca6e11e1e
parent27f4ba993f2065f82953c5fab8cac91c4b6fc103 [diff]
Update the user management design document

The user management design document is updated to include the LDAP
user account details.

Change-Id: Id1e8ae569f583edb801099979736e096672da271
Signed-off-by: RAJESWARAN THILLAIGOVINDAN <rajeswgo@in.ibm.com>

diff --git a/architecture/user_management.md b/architecture/user_management.md
index 12d4ddc..ac8e8c2 100644
--- a/architecture/user_management.md
+++ b/architecture/user_management.md

@@ -410,6 +410,39 @@
 ```
 
 
+## LDAP
+
+SSH, Redfish and Webserver interface allows the user to authenticate against an
+LDAP directory.  IPMI interface cannot be used to authenticate against LDAP,
+since IPMI needs the password in clear text at the time of session setup.
+
+In OpenBMC, PAM based authentication is implemented, so for both LDAP users and
+local users, the authentication flow is the same.
+
+For the LDAP user accounts, there is no LDAP attribute type that corresponds to
+the OpenBMC privilege roles. The preferred way is to group LDAP user accounts
+into LDAP groups. D-Bus API is provided for the user to assign privilege role
+to the LDAP group.
+
+## Authorization Flow
+
+This section explains how the privilege roles of the user accounts are
+consumed by the webserver interface. The privilege role is a property of the
+user D-Bus object for the local users. For the LDAP user accounts, the privilege
+role will be based on the LDAP group. The LDAP group to privilege role mapping
+needs to be configured prior to authenticating with the LDAP user accounts.
+
+1. Invoke PAM API for authenticating with user credentials. Proceed, if
+the authentication succeeds.
+2. Check if the user is a local user account. If the user account is local,
+fetch the privilege role from the D-Bus object and update the session
+information.
+3. If the user account is not local, read the group name for the user.
+4. Fetch the privilege role corresponding to the group name, update the session
+information with the privilege role.
+5. If there is no mapping for group name to privilege role, default to `user`
+privilege role for the session.
+
 ## Recommended Implementation
 1. As per IPMI spec the max user list can be 15 (+1 for NULL User). Hence
 implementation has to be done in such a way that no more than 15 users are