Unable to create custom local role maps

danmsi commented 6 months ago

Hi,

I'm trying to add some remote group against the server and looks like there is a bug.

According the doc (https://servermanagementportal.ext.hpe.com/docs/redfishclients/ilorest-userguide/ilocommands/#directory-command):

"To add custom local role maps include the ldap argument with the --addrolemap option with the form PrivNum1;PrivNum2;...:RemoteRoleGroup:OptionalSID. Numbers of privileges can be found in the help text."

Example into the site:

iLOrest > directory ldap --addrolemap "10;2;3:Another remote role:S-1-7-23" Changing settings... The operation completed successfully. Updating privileges of created role maps... The operation completed successfully. Updated privileges for ANOTHERETSTT The operation completed successfully. Updated privileges for A TESTTT:S-1-7-23

And into the 'ilorest directory ldap -h'

--addrolemap [ROLES ...], --removerolemap [ROLES ...] Optionally add this flag to add or remove Role Mapping(s) for the LDAP and Kerberos services. Remove EX: --removerolemap LocalRole1;LocalRole2 Add EX: --addrolemap "LocalRole1:RemoteGroup3;LocalRole2:RemoteGroup4 "SID EX: --addrolemap "LocalRole1:RemoteGroup2;SID,LocalRole2:RemoteGroup5:SID NOTE 1: Create a custom local role group (and subsequently assign to a role map)by adding the numbers associated with privilege(s) desired separated by a semicolon(;) NOTE 2: SID is optional

So trying to use here I'm not able to add properly.

# ilorest directory ldap --addrolemap "1;2;3;4;5:CN=LinuxiLOAdmins,OU=bbbbb,OU=cccc,OU=ddddd,DC=xxxxx,DC=yyyyy,DC=com" iLORest : RESTful Interface Tool version 4.8.0.0 Copyright (c) 2014-2024 Hewlett Packard Enterprise Development LP

usage: directory ldap [-h] [--enable [ENABLE ...]] [--addsearch [SEARCH ...]] [--serviceaddress SERVICEADDRESS] [--port PORT] [--addrolemap [ROLES ...]] [--enablelocalauth [LOCALAUTH ...]] [--authentication {DefaultSchema,ExtendedSchema}] [--url URL] [--sessionid SESSIONID] [-u USER] [-p PASSWORD] [-o LOGIN_OTP] [--biospassword BIOSPASSWORD] [--https HTTPS_CERT] [--usercert USER_CERTIFICATE] [--userkey USER_ROOT_CA_KEY] [--userpassphrase USER_ROOT_CA_PASSWORD] [--includelogs] [--path PATH] [--force_vnic] [--logout] [-j] [USERNAME] [PASSWORD] directory ldap: error: Supply roles to add in form : Error:

Just works using the Local roles:

ReadOnly/Operator/Administrator

See below:

# ilorest directory ldap --addrolemap "Operator:CN=LinuxiLOAdmins,OU=bbbbb,OU=cccc,OU=ddddd,DC=xxxxx,DC=yyyyy,DC=com" iLORest : RESTful Interface Tool version 4.8.0.0 Copyright (c) 2014-2024 Hewlett Packard Enterprise Development LP

Changing settings... The operation completed successfully.

rajkumar14 commented 5 months ago

@danmsi This is in our upcoming release build 4.9.0.0 once released you can verify.

rajkumar14 commented 5 months ago

4.9.0.0 Released.

HewlettPackard / python-redfish-utility

Unable to create custom local role maps #96

# ilorest directory ldap --addrolemap "1;2;3;4;5:CN=LinuxiLOAdmins,OU=bbbbb,OU=cccc,OU=ddddd,DC=xxxxx,DC=yyyyy,DC=com" iLORest : RESTful Interface Tool version 4.8.0.0 Copyright (c) 2014-2024 Hewlett Packard Enterprise Development LP

# ilorest directory ldap --addrolemap "Operator:CN=LinuxiLOAdmins,OU=bbbbb,OU=cccc,OU=ddddd,DC=xxxxx,DC=yyyyy,DC=com" iLORest : RESTful Interface Tool version 4.8.0.0 Copyright (c) 2014-2024 Hewlett Packard Enterprise Development LP