|
|
Post by ratagupt on Mar 20, 2019 4:07:48 GMT
In the account service schema we have the following properties.
1) LDAP =>This property shall contain the first LDAP external account provider this AccountService supports. If the AccountService supports 1 or more LDAP services as an external account provider this entity must be populated by default. This entity shall not be present in the AdditionalExternalAccountProviders collection."
2) ActiveDirectory => This property shall contain the first ActiveDirectory external account provider this AccountService supports. If the AccountService supports 1 or more ActiveDirectory services as an external account provider this entity must be populated by default. This entity shall not be present in the AdditionalExternalAccountProviders collection."
3) AdditionalExternalAccountProviders: This property shall contain an additional external account providers this AccountService is using.
Each of the above property is of type of ExternalAccountProvider, External Account Provider is having the following sub property(AccountProviderType) which can be any of the following values
ActiveDirectoryService: "An external Active Directory Service."
LDAPService: generic external LDAP Service.
When we have the AccountProviderType which tells that which provider type it is then why do we need two Properties(LDAP/ActiveDirectory)?
This creates the confusion for the users, If user goes and do the PATCH under LDAP property and say account provider type is "ActiveDirectoryService".
My proposal is we should have one of the property(LDAP) and the AdditionalExternalAccountProviders which supports additional server configuration, No need for property ActiveDirectory.
By doing this still we an support the following use cases.
Mutiple different LDAP servers/ same LDAP servers (LDAP/AD) (LDAP/LDAP) (LDAP/LDAP/AD) ....etc.
Suppose if implementation wants to configure mutiple LDAP servers(openldap, active directory)
LDAP : Account Provider Type(LDAPService) AdditionalExternalAccountProviders: Account Provider Type(ActiveDirectoryService).
Ratan
|
|
|
|
Post by jautor on Mar 22, 2019 16:35:15 GMT
When we have the AccountProviderType which tells that which provider type it is then why do we need two Properties(LDAP/ActiveDirectory)? This creates the confusion for the users, If user goes and do the PATCH under LDAP property and say account provider type is "ActiveDirectoryService".
The LDAP and ActiveDirectory objects within AccountService are there to deal with the "normal" case of having a single LDAP/AD instance per Redfish Service. Multiple LDAP/AD instances is a rare case - but we wanted to be able to support that. However, the primary use case here is to support a single LDAP/AD instance, and to make it easy for "bare metal" deployment scripts to configure these settings such that they can perform simple PATCH operations. And that's why the LDAP/AD objects are there. The user can PATCH the AccountService with their LDAP/AD settings on every Redfish service they find using the same script. If we had left this to a normal Collection method (without creating special cases that would then need to be explained/discovered), a script would need to gather all Collection members to locate the primary LDAP service resource before PATCHing it. The best way to think of this support, for the vast majority of devices/implementations, is to ignore the "AdditionalExternalAccountProviders" link and collection - pretend it's not there - and just operate on the LDAP/AD objects in AccountService itself. And just know that if there was a case where your device needed to support multiple providers beyond an LDAP and AD instance, there is support for it in the model... Jeff |
|
|
|
Post by ratagupt on Mar 25, 2019 11:58:58 GMT
The LDAP and ActiveDirectory objects within AccountService are there to deal with the "normal" case of having a single LDAP/AD instance per Redfish Service. Multiple LDAP/AD instances is a rare case - but we wanted to be able to support that.
Having LDAP and ActiveDirectory as well as sub property AccountproviderType was confusing me.
Let's take other use case
1) user creates the configuration under LDAP property.
2) Now suppose user wants to change it to active directory but most of other parameters are same as the above configuration done in step 1.
Now what user would do
PATCH {"ActiveDirectory": {"with all the required properties"}}
Suppose in the above eg if the implementation supports one LDAP configuration at a time(OpenLDAP/AD/etc) and If user go with above patch request
Does the configuration under LDAP reset to empty as AD is being configured and the implementation supports one LDAP configuration at a time ?
On a side note I proposed my idea to align it with the rest of other schemas(EthernetInterface). There we have the IPv4StaticAddresses(array of ipv4Staticaddress), But I don't see special case there.
Am I missing something?
|
|
|
|
Post by ratagupt on Apr 3, 2019 3:51:39 GMT
The below query is not related to the above one.What should be the redfish implementation behaviour in the GET request of the AccountService. Suppose the implementation doesn't have any LDAP configuration and user does the GET request on the AccountService, What should the implementation show? 1) LDAP: {} ===> Empty JSON object 2) LDAP : fully bloated object(having all the supported properties with default values) ===> pastebin.com/ibX5nyAc (second test case in the given link). I am asking as if I return the empty json object(1) then redfish validator doesn't throw any failures and in second case also it doesn't throw any errors. |
|
|
|
Post by jautor on Apr 16, 2019 21:39:59 GMT
The below query is not related to the above one.What should be the redfish implementation behaviour in the GET request of the AccountService. Suppose the implementation doesn't have any LDAP configuration and user does the GET request on the AccountService, What should the implementation show? 1) LDAP: {} ===> Empty JSON object 2) LDAP : fully bloated object(having all the supported properties with default values) ===> pastebin.com/ibX5nyAc (second test case in the given link). I am asking as if I return the empty json object(1) then redfish validator doesn't throw any failures and in second case also it doesn't throw any errors. #2 is the correct answer for Redfish. We want to make sure that the capabilities of the Service are exposed - you should return all of your supported properties (especially those that are user-settable) so that the client knows they are supported. And yes, both of those would pass validation because none of those properties are required - but #2 is a much better answer for the user than #1. Jeff |
|
|
|
Post by ratagupt on Jun 4, 2019 12:30:38 GMT
Hi Jeff,
Can you verify the output for below query ?
curl -k -H "X-Auth-Token: $bmc_token" -X PATCH https://${BMC_IP}/redfish/v1/AccountService/ -D patch.txt -d '{"ActiveDirectory":{"ServiceEnabled":false, "ServiceAddresses": ["ldap://9.194.251.141/"],"Authentication": {"AuthenticationType":"UsernameAndPassword","Username": "cn=dvtuser,cn=Users,dc=Corp,dc=ibm,dc=com","Password": "india@123"}, "LDAPService": {"SearchSettings": {"BaseDistinguishedNames": ["dc=Corp,dc=ibm,dc=com"]}}}}'
{
"ActiveDirectory": {
"AccountProviderType": "ActiveDirectoryService",
"AccountProviderType@Redfish.AllowableValues": [
"ActiveDirectoryService"
],
"Authentication": {
"AuthenticationType": "UsernameAndPassword",
"AuthenticationType@Redfish.AllowableValues": [
"UsernameAndPassword"
],
"Password": "",
"Username": "cn=dvtuser,cn=Users,dc=Corp,dc=ibm,dc=com"
},
"LDAPService": {
"SearchSettings": {
"BaseDistinguishedNames": [
"dc=Corp,dc=ibm,dc=com"
],
"GroupsAttribute": "",
"UsernameAttribute": ""
}
},
"ServiceAddresses": [
"ldap://9.194.251.141/"
],
"ServiceEnabled": false
}
One of the query came that "LDAPService" is coming under Active Directory, Is it correct or not?
|
|
|
|
Post by jautor on Jun 4, 2019 18:49:35 GMT
No, that does not appear to be correct. The "LDAPService" and "ActiveDirectory" objects should be at the same level, not nested within... Please contact the vendor of the Service to see what's going on there.
Jeff
|
|
|
|
Post by ratagupt on Jun 7, 2019 1:30:02 GMT
No, that does not appear to be correct. The "LDAPService" and "ActiveDirectory" objects should be at the same level, not nested within... Please contact the vendor of the Service to see what's going on there. Jeff Jeff, seems to me that "LDAP" and "ActiveDirectory" objects should be at the same level. Both "LDAP" and "ActiveDirectory" is of type "ExternalAccountProvider" "ExternalAccountProvider" has property named "LDAPService", which is having further sub property "SearchSettings" which is used to tell that ldapserver/AD to how to do the search? so seems to me that both "LDAP" and "ActiveDirectory" should have the "LDAPService". Also running on the redfish validator doesn't throw the error. Can you please take a relook of the below output? curl -k -H "X-Auth-Token: $bmc_token" -X GET https://${BMC_IP}/redfish/v1/AccountService/ { "@odata.context": "/redfish/v1/$metadata#AccountService.AccountService", "@odata.id": "/redfish/v1/AccountService", "@odata.type": "#AccountService.v1_3_1.AccountService", "AccountLockoutDuration": 0, "AccountLockoutThreshold": 0, "Accounts": { "@odata.id": "/redfish/v1/AccountService/Accounts" }, "ActiveDirectory": {
"AccountProviderType": "ActiveDirectoryService",
"AccountProviderType@Redfish.AllowableValues": [
"ActiveDirectoryService"
],
"Authentication": {
"AuthenticationType": "UsernameAndPassword",
"AuthenticationType@Redfish.AllowableValues": [
"UsernameAndPassword"
],
"Password": null,
"Username": ""
},
"LDAPService": {
"SearchSettings": {
"BaseDistinguishedNames": [
""
],
"GroupsAttribute": "",
"UsernameAttribute": ""
}
},
"ServiceAddresses": [
""
],
"ServiceEnabled": false
}, "Description": "Account Service", "Id": "AccountService", "LDAP": {
"AccountProviderType": "LDAPService",
"AccountProviderType@Redfish.AllowableValues": [
"LDAPService"
],
"Authentication": {
"AuthenticationType": "UsernameAndPassword",
"AuthenticationType@Redfish.AllowableValues": [
"UsernameAndPassword"
],
"Password": null,
"Username": "uid=sivasjxp,dc=ldap,dc=com"
},
"LDAPService": {
"SearchSettings": {
"BaseDistinguishedNames": [
"dc=ldap,dc=com"
],
"GroupsAttribute": "gidNumber",
"UsernameAttribute": "cn"
}
},
"ServiceAddresses": [
"ldap://9.126.172.69/"
],
"ServiceEnabled": false
}, "MaxPasswordLength": 20, "MinPasswordLength": 8, "Name": "Account Service", "Roles": { "@odata.id": "/redfish/v1/AccountService/Roles" }, "ServiceEnabled": true } =============================================================== If you still see that "LDAPService" can not be under "ActiveDirectory", How user can configure the "serachsettings" like rootDN(baseDistinguishedNames) for the LDAP server or groupNameattribute, usernameAttribute. |
|
|
|
Post by jautor on Jun 10, 2019 22:12:19 GMT
Jeff, seems to me that "LDAP" and "ActiveDirectory" objects should be at the same level. Both "LDAP" and "ActiveDirectory" is of type "ExternalAccountProvider" The LDAP and ActiveDirectory objects with AccountService share the same properties and definitions with the ExternalAccountProvider schema/resources, but they are defined separately. We deprecated the "AccountProviderType" property (in the LDAP and ActiveDirectory objects within AccountService) as that should not have been included... Yes, if you actually have multiple external account providers and therefore need to populate the ExternalAccountProvider collection... But we would expect in the vast majority of cases that your device can probably be configured using only the AccountService resource and the LDAP object. Yes, there may be cases in some implementations, I believe, of ActiveDirectory that you need those LDAPService parameters... A few things: 1) AccountProviderType under LDAP and ActiveDirectory was deprecated to remove the confusion/duplication. I would remove those properties for that reason. 2) @redfish.AllowableValues isn't useful for read-only properties 3) As above, if the LDAPService object and properties don't make sense within the ActiveDirectory object, you should omit them. Jeff |
|
|
|
Post by ratagupt on Jun 15, 2019 1:46:49 GMT
Jeff, Thanks for the quick reply. A few things: 1) AccountProviderType under LDAP and ActiveDirectory was deprecated to remove the confusion/duplication. I would remove those properties for that reason. That is gr8, it was really a confusion. 2) @redfish.AllowableValues isn't useful for read-only properties sure would remove that. 3) As above, if the LDAPService object and properties don't make sense within the ActiveDirectory object, you should omit them. Here I am confused, LDAPService is needed in the ActiveDirectory object as to define the search parameters(groupnameattribute,usernameattribute, RootDN(aka base distinguished names)), we don't have any other property under ActiveDiretory where we can map this data, Please let me know if we have something. As each LDAP(OpenLDAP/AD) server we need the following How we will define the rootDN for AD ===> which is equivalent of (LDAPService/SearchSettings/baseDistinguishedNames)? How we will define the username attribute/group attribute for AD which is needed? as in each ldap server(AD/Openldap) these attribute can be mapped to any other LDAP properties. If the propertyName(LDAPService) is confusing then we should have something like ActiveDirectoryService which is of as same type or the common name for both as this is required in both the services. |
|
