commit 395711d149a785ac60648943257ce4c3b383d905
author Ravi Teja <raviteja28031990@gmail.com> Sun Nov 02 09:44:47 2025 -0600
committer Ravi Teja <raviteja28031990@gmail.com> Tue Nov 04 12:39:49 2025 +0000
tree 8be75728fc1f8be7427693a60b50edc913fb4684
parent 73b8ab4379b724d8ab6abc0d21d6e272d95833f2

Remove default LDAP privilege role

Currently when there is no privilege role map matching to the ldap user,
ldap user gets priv-user(read-only) privilege for redfish sessions which
is considered as security concern since by default all ldap users able
to login to BMC GUI and redfish sessions.

This commit removes default priv-user(read-only) privilege for LDAP
users when there is no matching privilege role.

Tested By:
Redfish session creation fails for ldap users when there is no matching
privilege role map

Change-Id: I5247ce53577ecdf27f41bc4e2a3d1947d093874b
Signed-off-by: Ravi Teja <raviteja28031990@gmail.com>

user_mgr.cpp

diff --git a/user_mgr.cpp b/user_mgr.cpp
index 6b31208..0029326 100644
--- a/user_mgr.cpp
+++ b/user_mgr.cpp
@@ -1310,16 +1310,11 @@
                 }
             }
 
-            if (!userPrivilege.empty())
+            if (userPrivilege.empty())
             {
-                userInfo.emplace("UserPrivilege", userPrivilege);
+                lg2::warning("LDAP group privilege mapping does not exist");
             }
-            else
-            {
-                lg2::warning("LDAP group privilege mapping does not exist, "
-                             "default \"priv-user\" is used");
-                userInfo.emplace("UserPrivilege", "priv-user");
-            }
+            userInfo.emplace("UserPrivilege", userPrivilege);
         }
         catch (const std::bad_variant_access& e)
         {