commit	87f087b011ead155ebd5f506249527f09572b980	[log] [tgz]
author	RAJESWARAN THILLAIGOVINDAN <rajeswgo@in.ibm.com>	Wed May 08 04:15:26 2019 -0500
committer	Andrew Jeffery <andrew@aj.id.au>	Tue Sep 10 06:04:49 2019 +0000
tree	08074aa3f4de0d1c6db3a93bd323f4a493eb8bc7
parent	62db08a938e08debb4bc56c155238eb22a5a885c [diff]

Interface changes in LDAP role mapper

In the existing code, role mapping was global. Hence, we could have one
single config at a time.  Now, with the changed backend, there can be
multiple LDAP configs and the role mapping is tied to the config.

This commit make sure openbmctool ldap configuration options
compatible with both redfish and non-redfish enabled OpenBMC systems.

Tested By:

1. Configuring ldap active directory configuration:
$ python openbmctool.py -U root -P 0penBmc -H $BMC_IP ldap enable -a "ldap://$LDAP_SERVER/" -B "cn=user,cn=Users,dc=Corp,dc=xyz,dc=com" -b "dc=Corp,dc=xyz,dc=com" -p "ldap1" -S sub -t ActiveDirectory
Attempting login...
Role map exists for the server type ActiveDirectory
User root has been logged out

2. View ldap configuration
$ python openbmctool.py -U root -P 0penBmc -H $BMC_IP ldap view-config
Attempting login...
{
  "data": {
    "Enabled": true,
    "GroupNameAttribute": "primaryGroupID",
    "LDAPBaseDN": "dc=Corp,dc=xyz,dc=com",
    "LDAPBindDN": "cn=user,cn=Users,dc=Corp,dc=xyz,dc=com",
    "LDAPBindDNPassword": "",
    "LDAPSearchScope": "xyz.openbmc_project.User.Ldap.Config.SearchScope.sub",
    "LDAPServerURI": "ldap://$LDAP_SERVER/",
    "LDAPType": "xyz.openbmc_project.User.Ldap.Config.Type.ActiveDirectory",
    "UserNameAttribute": "sAMAccountName"
  },
  "message": "200 OK",
  "status": "ok"
}

3.List privilege-mappings
$ python openbmctool.py -U root -P 0penBmc -H $BMC_IP ldap privilege-mapper list
Attempting login...
{
  "data": {
    "/xyz/openbmc_project/user/ldap/active_directory/role_map/1": {
      "GroupName": "G1",
      "Privilege": "priv-admin"
    },
    "/xyz/openbmc_project/user/ldap/active_directory/role_map/2": {
      "GroupName": "G2",
      "Privilege": "priv-operator"
    },
    "/xyz/openbmc_project/user/ldap/active_directory/role_map/3": {
      "GroupName": "G3",
      "Privilege": "priv-user"
    }
  },
  "message": "200 OK",
  "status": "ok"
}
User root has been logged out

4. Disable LDAP
$ python openbmctool.py -U root -P 0penBmc -H $BMC_IP ldap disable
Attempting login...
{
  "data": null,
  "message": "200 OK",
  "status": "ok"
}
User root has been logged out

5. Configure OpenLDAP
$ python openbmctool.py -U root -P 0penBmc -H $BMC_IP ldap enable -a $LDAP_SERVER -B "cn=Administrator,dc=ldap,dc=com" -b "dc=ldap,dc=com" -p "ldap" -S sub -t OpenLDAP
Attempting login...
Server type OpenLDAP has been enabled. Create role map before using it...
User root has been logged out

6. View LDAP configuration
$ python openbmctool.py -U xyzjxp -P abc@123 -H $BMC_IP ldap view-config
Attempting login...
{
  "data": {
    "Enabled": true,
    "GroupNameAttribute": "gidNumber",
    "LDAPBaseDN": "dc=ldap,dc=com",
    "LDAPBindDN": "cn=Administrator,dc=ldap,dc=com",
    "LDAPBindDNPassword": "",
    "LDAPSearchScope": "xyz.openbmc_project.User.Ldap.Config.SearchScope.sub",
    "LDAPServerURI": $LDAP_SERVER,
    "LDAPType": "xyz.openbmc_project.User.Ldap.Config.Type.OpenLdap",
    "UserNameAttribute": "cn"
  },
  "message": "200 OK",
  "status": "ok"
}

7. Create privilege role map
$ python openbmctool.py -H $BMC_IP -U root -P 0penBmc ldap privilege-mapper create -g G3 -p priv-user
Attempting login...
legacy: False
{
  "data": "/xyz/openbmc_project/user/ldap/openldap/role_map/1",
  "message": "200 OK",
  "status": "ok"
}

8. List privilege role mappings
$ python openbmctool.py -U test -P test@123 -H $BMC_IP ldap privilege-mapper list
Attempting login...
{
  "data": {
    "/xyz/openbmc_project/user/ldap/openldap/role_map/1": {
      "GroupName": "G3",
      "Privilege": "priv-user"
    }
  },
  "message": "200 OK",
  "status": "ok"
}

$ python openbmctool.py -U test -P test@123 -H $BMC_IP ldap view-config
Attempting login...
{
  "data": {
    "LDAPBaseDN": "dc=ldap,dc=com",
    "LDAPBindDN": "uid=test,dc=ldap,dc=com",
    "LDAPSearchScope": "xyz.openbmc_project.User.Ldap.Config.SearchScope.sub",
    "LDAPServerURI": $LDAP_SERVER,
    "LDAPType": "xyz.openbmc_project.User.Ldap.Config.Type.OpenLdap"
  },
  "message": "200 OK",
  "status": "ok"
}

Change-Id: I4df361c229d742381fa6edcd77c125ad6556b20e
Signed-off-by: Ravi Teja <raviteja28031990@gmail.com>

thalerj/openbmctool.py[diff]

1 file changed

tree: 08074aa3f4de0d1c6db3a93bd323f4a493eb8bc7

README.md

The OpenBMC Tools Collection

The goal of this repository is to collect the two-minute hacks you write to automate interactions with OpenBMC systems.

It's highly likely the scripts don't meet your needs - they could be undocumented, dysfunctional or utterly broken. Please help us improve!

Repository Rules

Always inspect what you will be executing
Some hacking on your part is to be expected

If you're still with us

Then this repository aims to be the default destination for your otherwise un-homed scripts. As such we are setting the bar for submission pretty low, and we aim to make the process as easy as possible.

Catalogue of scripts

Users

openbmc-events: Query error events on the target server
openbmc-sensors: Query sensors on the target server
openbmc-sfw: Manage host and BMC firmware images on the target server
openbmctool: A general purpose tool for user interactions with OpenBMC
pretty-journal: Convert journalctl's 'pretty' output to regular output
upload_and_update: Upload a tarball to TFTP server and update BMC with it

Developers

netboot: Painless netboot of BMC kernels
obmc-gerrit: Automagically add reviewers to changes pushed to Gerrit
reboot: Endlessly reboot OpenPOWER hosts
tracing: Enable and clean up kernel tracepoints remotely
witherspoon-debug: Deploy the debug tools tarball to Witherspoon BMCs

Maintainers

cla-signers: Check if a contributor has signed the OpenBMC CLA

Project Administrators

openbmc-autobump.py: Update commit IDs in bitbake recipes to bring in new changes

Sending patches

Please use gerrit for all patches to this repository:

Gerrit Repository

Do note that you will need to be party to the OpenBMC CLA before your contributions can be accepted. See Gerrit Setup and CLA for more information.

What we will do once we have your patches

So long as your patches look sane with a cursory glance you can expect them to be applied. We may push back in the event that similar tools already exist or there are egregious issues.

What you must have in your patches

We don't ask for much, but you need to give us at least a Signed-off-by, and put your work under the Apache 2.0 license. Licensing everything under Apache 2.0 will just hurt our heads less. Lets keep the lawyers off our backs. ^

^Any exceptions must be accompanied by a LICENSE file in the relevant subdirectory, and be compatible with Apache 2.0. You thought you would get away without any fine print?

How you consume the repository

There's no standard way to install the scripts housed in the here, so adding parts of the repository to your PATH might be a bit of a dice-roll. We may also move or remove scripts from time to time as part of housekeeping. It's probably best to copy things out if you need stability.