Closed leocheng-tw closed 3 years ago
This is likely a bug with phosphor-user-manager, or its interactions with PAM. Can you please capture a dbus monitor log of the events around this and (likely) file a bug with phosphor-user-manager?
I saved the message of busctl introspect. I'm not sure if this the information you want or not. wp_busctl_introspect.txt
The dbus monitor log (busctl monitor) is as attachment. 20210122_wp_dbus_monitor_2.txt
@ratagupt Blame shows you authored the user enable/disable code, can you reproduce the above?
In phosphor-user-manager, if user is disabled, the expired date would be "1970-01-02". We changed BMC into current date and user didn't send redfish request. I'll close this issue, thanks for help.
Hi Teams,
I reproduced this issue.
Create a redfish user with any privilege, but it should not be enabled. curl -u root: -k -X POST https://${bmc}/redfish/v1/AccountService/Accounts/ -d '{"UserName":"user_1", "Password":"TestPwd123", "RoleId":"Operator", "Enabled":false}'
{
"@Message.ExtendedInfo": [
{
"@odata.type": "#Message.v1_0_0.Message",
"Message": "The resource has been created successfully",
"MessageArgs": [],
"MessageId": "Base.1.4.0.Created",
"Resolution": "None",
"Severity": "OK"
}
]
}
Check the created user. curl -u root: -k -X GET https://${bmc}/redfish/v1/AccountService/Accounts/user_1
{
"@odata.id": "/redfish/v1/AccountService/Accounts/user_1",
"@odata.type": "#ManagerAccount.v1_4_0.ManagerAccount",
"AccountTypes": [
"Redfish"
],
"Description": "User Account",
"Enabled": false,
"Id": "user_1",
"Links": {
"Role": {
"@odata.id": "/redfish/v1/AccountService/Roles/Operator"
}
},
"Locked": false,
"Locked@Redfish.AllowableValues": [
"false"
],
"Name": "User Account",
"Password": null,
"PasswordChangeRequired": false,
"RoleId": "Operator",
"UserName": "user_1"
}
Try to send request with the created user curl -u user_1:TestPwd123 -k -X GET https://${bmc}/redfish/v1/AccountService/Accounts/user_1 { "@odata.id": "/redfish/v1/AccountService/Accounts/user_1", "@odata.type": "#ManagerAccount.v1_4_0.ManagerAccount", "AccountTypes": [ "Redfish" ], "Description": "User Account", "Enabled": false, "Id": "user_1", "Links": { "Role": { "@odata.id": "/redfish/v1/AccountService/Roles/Operator" } }, "Locked": false, "Locked@Redfish.AllowableValues": [ "false" ], "Name": "User Account", "Password": null, "PasswordChangeRequired": false, "RoleId": "Operator", "UserName": "user_1" }
Though the user is not enabled but it still can login and send Redfish request.