LocalAccountAuth design explaination | Redfish Specification Forum

AMI_archerwen
Guppy

Posts: 69

LocalAccountAuth design explaination Jun 4, 2020 12:49:17 GMT via mobile

Quote

Post by AMI_archerwen on Jun 4, 2020 12:49:17 GMT

Hi,

According LocalAccountAuth description in AccountService.v1_6_0 schema:
"LocalAccountAuth":
"Fallback": "The service authenticates users based on the Account Service-defined accounts collection only if any external account providers are currently unreachable."
"LocalFirst": "The service first authenticates users based on the Account Service-defined accounts collection. If authentication fails, the Service authenticates by using external account providers."

Question1:
If i created two account with same username but different password for external & local, like below.
Account Service-defined account :
Username: ADtest1, Password: Auto0001
External AD Account:
Username: ADtest1, Password: Auto0000

When i switch to "LocalFirst" and try to login ADtest1 with password like Auto0002, Auto0003...etc to locked the account.
When account locked, is External AD Account can access redfish?

Question2:
If Question1 answer is NO,
What is the real behavior for Fallback and LocalFirst?

Thanks,
Archer.

mraineri
Administrator

Posts: 1,050

LocalAccountAuth design explaination Jun 8, 2020 12:48:36 GMT

Quote

Post by mraineri on Jun 8, 2020 12:48:36 GMT

If the local account "ADtest1" is locked out, that will not impact the usage of the external account with the same name. What I would expect to happen is when the mode is set to "LocalFirst", it will first fail the authentication with the local account "ADtest1", and then proceed to attempt to authenticate with the external account providers.

mharishm
Minnow

Posts: 17

LocalAccountAuth design explaination Jun 12, 2020 9:22:34 GMT

Quote

Post by mharishm on Jun 12, 2020 9:22:34 GMT

mraineri

Thanks for your response.
Lets consider the username doesn't exist in external account and in redfish lets say "LocalAccountAuth" is "LocalFirst"
As you say irrespective of whether the local account is locked or not, to proceed to attempt to authenticate with the external account providers, we may never give up the response that the local account is locked to the user.

For example:
Suppose if username doesn't exist in external account or the password doesn't match both local or external account then even after reaching "AccountLockoutThreshold", redfish service may end up in not showing account locked response for local account because of allowing external account access.

Is it the expected behaviour? Can you please make us understand on this?

Thanks,
Harish

Last Edit: Jun 12, 2020 9:31:11 GMT by mharishm: Update

mraineri
Administrator

Posts: 1,050

LocalAccountAuth design explaination Jun 26, 2020 13:59:58 GMT

Quote

Post by mraineri on Jun 26, 2020 13:59:58 GMT

In terms of the messaging in that scenario, that would likely be entirely up to the policy for responses you need to implement. Some implementations might not want to expose any details about why the authentication failed. Others could respond with multiple messages (one per authentication mechanism), so in your example you could have two messages (one stating account locked, another for account not found). You could also prioritize your handling of the response, so in your scenario, the "locked" condition is a higher priority than the account not found externally.

In the end though, the user will get some sort of response, and regardless of the message, I would expect them to double check their credentials, and if that doesn't work, contact an administrator.