8. User management

This section describes how to conduct user management operations using the BMC command, GUI, REST and Redfish interfaces. In addition, the BMC supports integrations with an LDAP server.

8.1. BMC command line

You can manage users with the standard Linux commands useradd, userdel, usermod and passwd via SSH or a serial console.

8.2. GUI

The user management operations available in the GUI are described in Table 8.1. The GUI page is shown in Fig. 8.1.

Table 8.1 User management operations

Command

Description

List users

List users

Create a user

Create a user with an OpenBMC role (administrator, user, callback or operator)

Delete a user

Delete the user from system

Edit a user

Edit the user properties
_images/user_management.png

Fig. 8.1 GUI: user management operations

8.3. REST API

You can do user management operations through the REST interface either by sending curl queries to the URI or by using the Graphcore openbmctool.py. Table 8.2 describes the commands available.

Table 8.2 Inventory monitoring using REST interface

Command

Description

list

List users on the BMC

 
$ curl -k https://<bmcip>/xyz/openbmc_project/user/list -u <bmcuser>:<bmcpass>

$ python3 openbmctool.py -H <bmcip> -U <bmcuser> -P <bmcpass> local_users queryenabled

8.4. IPMI

No user management operations are available via IPMI.

8.5. Redfish

You can perform user management through the Redfish interface either by sending curl queries or browsing the URI.

User management operations can be found in the AccountService collection available at https://<bmcip>/redfish/v1/AccountService. Table 8.3 describes the commands available.

Table 8.3 Inventory monitoring using Redfish interface

Command

Description

Users list

List users available on the BMC.

 
$ curl -k https://<bmcip>/redfish/v1/AccountService/Accounts -u <bmcuser>:<bmcpass>

Example output from the command is shown below. The results of browsing the same endpoints is shown in user_management_redfish.

$ curl -k https://<bmcip>/redfish/v1/AccountService/Account -u <bmcuser>:<bmcpass>
{
  "@odata.context": "/redfish/v1/$metadata#ManagerAccountCollection.ManagerAccountCollection",
  "@odata.id": "/redfish/v1/AccountService/Accounts",
  "@odata.type": "#ManagerAccountCollection.ManagerAccountCollection",
  "Description": "BMC User Accounts",
  "Members": [
    {
      "@odata.id": "/redfish/v1/AccountService/Accounts/root"
    }
  ],
  "[email protected]": 1,
  "Name": "Accounts Collection"
}
_images/user_management_redfish.png

8.6. LDAP integration

OpenBMC supports LDAP integration to both OpenLDAP and Active Directory servers.

You can set the LDAP configuration by using the busctl commands described in Table 8.4.

Table 8.4 Configure LDAP

Command

Description

Enable LDAP

Enable LDAP

 
$ busctl set-property xyz.openbmc_project.Ldap.Config /xyz/openbmc_project/user/ldap/<ldaptype> xyz.openbmc_project.Object.Enable Enabled b true

<ldaptype> can have the value “openldap” or “active_directory”

Set LDAP server URI

Set LDAP server URI.

 
$ busctl set-property xyz.openbmc_project.Ldap.Config /xyz/openbmc_project/user/ldap/<ldaptype> xyz.openbmc_project.User.Ldap.Config LDAPServerURI s "<ldap_server_uri>"

<ldaptype> can have the value “openldap” or “active_directory”

Set LDAP Search Scope

Set LDAP search scope

 
$ busctl set-property xyz.openbmc_project.Ldap.Config /xyz/openbmc_project/user/ldap/<ldaptype> xyz.openbmc_project.User.Ldap.Config LDAPSearchScope s "<ldap_search_scope>"

<ldap_search_scope> is in the format xyz.openbmc_project.User.Ldap.Config.SearchScope.sub

Set LDAP BindDN

Set LDAP bind DN

 
$ busctl set-property xyz.openbmc_project.Ldap.Config /xyz/openbmc_project/user/ldap/<ldaptype> xyz.openbmc_project.User.Ldap.Config LDAPBindDN s "<ldap_binddn>"

Example ldap_bindn string: “uid=testbind,ou=People,dc=domain,dc=test,dc=co”

Set LDAP BindDN PW

Set LDAP bind DN password

 
$ busctl set-property xyz.openbmc_project.Ldap.Config /xyz/openbmc_project/user/ldap/<ldaptype> xyz.openbmc_project.User.Ldap.Config LDAPBindDNPassword s "<ldap_binddn_pw>"

Set LDAP BaseDN

Set LDAP base DN

 
$ busctl set-property xyz.openbmc_project.Ldap.Config /xyz/openbmc_project/user/ldap/<ldaptype> xyz.openbmc_project.User.Ldap.Config LDAPBaseDN s "<ldap_base>"

Example ldap_basedn string: “dc=domain,dc=test,dc=co”

Set UserNameAttribute

Set UserNameAttribute

 
$ busctl set-property xyz.openbmc_project.Ldap.Config /xyz/openbmc_project/user/ldap/<ldaptype> xyz.openbmc_project.User.Ldap.Config UserNameAttribute s "<uattr>"

Example of uattr string: “uid”

To use a secure LDAP connection, you need to upload and install client and root certificate authority (CA) certificates on the BMC. You can do this using the commands in Table 8.5.

Table 8.5 Install certificates

Command

Description

Install client cert

Install client certificate

 
$ busctl call xyz.openbmc_project.Certs.Manager.Client.Ldap /xyz/openbmc_project/certs/client/ldap xyz.openbmc_project.Certs.Install Install s "<cert.pem>"

If successful, the client certificate will be installed in /etc/nslcd/certs/cert.pem

Install Root CA cert

Install root CA certificate

 
$ busctl call xyz.openbmc_project.Certs.Manager.Authority.Ldap /xyz/openbmc_project/certs/authority/ldap xyz.openbmc_project.Certs.Install Install s "<cacert.pem>"

If successful, the CA certificate will be installed in /etc/ssl/certs/Root-CA.pem

To map privileges from LDAP user groups to local user groups, use the commands in Table 8.6.

Table 8.6 Privilege mapping

Command

Description

LDAP privilege map

Map privileges from LDAP to local groups

 
$ python3 /localdata/martinh/clean_openbmc/openbmc/ci/openbmctool.py -H <bmcip> -U <bmcuser> -P <bmcpass>
$ ldap privilege-mapper create -g <ldapgroup> -p {priv-admin/priv-user}

To display current LDAP configuration, use the commands in Table 8.7.

Table 8.7 LDAP configuration

Command

Description

Display LDAP configuration

Display current LDAP configuration

 
$ curl -b cjar -k https://<bmcip>/xyz/openbmc_project/user/ldap/enumerate -u <bmcuser>:<bmcpass>