Implement default LDAP privilege role
According to OpenBMC documentation[1], "if there is no mapping for
group name to privilege role, default to user privilege role for the
session", meaning that LDAP users should have "priv-user" assigned
when there is no mapping entry matched.
[1] https://github.com/openbmc/docs/blob/master/architecture/user-management.md#authorization-flow
Tested:
* Configure LDAP with empty RemoteRoleMapping in redfish, then login
BMC with an LDAP account, verified it has User privilege.
* Change the primary group of user from a grop without mapping to one
mapped to Admin privilege on remote LDAP server, confirmed the user
is mapped to priv-admin in BMC.
Change-Id: I374732f2895f40a671225ec0d1fafd7e4ae27dea
Signed-off-by: Jiaqing Zhao <jiaqing.zhao@intel.com>
diff --git a/test/user_mgr_test.cpp b/test/user_mgr_test.cpp
index 8de2893..3a07fda 100644
--- a/test/user_mgr_test.cpp
+++ b/test/user_mgr_test.cpp
@@ -160,7 +160,7 @@
EXPECT_CALL(mockManager, isGroupMember(_, _, _)).Times(0);
userInfo = mockManager.getUserInfo(userName);
EXPECT_EQ(true, std::get<bool>(userInfo["RemoteUser"]));
- EXPECT_EQ("", std::get<std::string>(userInfo["UserPrivilege"]));
+ EXPECT_EQ("priv-user", std::get<std::string>(userInfo["UserPrivilege"]));
}
TEST(GetCSVFromVector, EmptyVectorReturnsEmptyString)
diff --git a/user_mgr.cpp b/user_mgr.cpp
index f4a90ec..e085b28 100644
--- a/user_mgr.cpp
+++ b/user_mgr.cpp
@@ -1302,11 +1302,16 @@
}
}
- if (userPrivilege.empty())
+ if (!userPrivilege.empty())
{
- log<level::ERR>("LDAP group privilege mapping does not exist");
+ userInfo.emplace("UserPrivilege", userPrivilege);
}
- userInfo.emplace("UserPrivilege", userPrivilege);
+ else
+ {
+ log<level::WARNING>("LDAP group privilege mapping does not "
+ "exist, default \"priv-user\" is used");
+ userInfo.emplace("UserPrivilege", "priv-user");
+ }
}
catch (const std::bad_variant_access& e)
{