Add LDAP feature support #16969

davidpil2002 · 2023-10-23T13:05:19Z

Why I did it

To support LDAP feature

Work item tracking

Microsoft ADO (number only):

How I did it

Similar to Radius/Tacacs authentication methods, the SONiC device is the LDAP client.
Installed the Debian LDAP packages related to making SONiC able to function as an LDAP client.

More description in the following HLD:
sonic-net/SONiC#1487

How to verify it

Do LDAP configuration according to the HLD, then connect to the SONiC switch by using a user that exists in your LDAP server.

Which release branch to backport (provide reason below if selected)

Tested branch (Please provide the tested image version)

Description for the changelog

Link to config_db schema for YANG module changes

YANG Schema can be found attached in the HLD as well.

A picture of a cute animal (not mandatory but encouraged)

liat-grozovik · 2023-12-14T09:50:01Z

@lguohan who should review and provide feedback?

qiluo-msft · 2023-12-15T00:30:08Z

@a-barboza Could you also help review this PR?

src/sonic-yang-models/yang-models/sonic-system-ldap.yang

files/build_templates/sonic_debian_extension.j2

src/sonic-yang-models/yang-models/sonic-system-ldap.yang

shdasari · 2023-12-18T09:14:46Z

yang-model tests are missing for LDAP, please add the same.

davidpil2002 · 2023-12-27T06:51:13Z

error look not related to the new code.
rerunning:
/azpw run Azure.sonic-buildimage

davidpil2002 · 2023-12-27T06:51:38Z

/azpw run Azure.sonic-buildimage

mssonicbld · 2023-12-27T06:51:40Z

/AzurePipelines run Azure.sonic-buildimage

azure-pipelines · 2023-12-27T06:51:53Z

Azure Pipelines successfully started running 1 pipeline(s).

davidpil2002 · 2023-12-27T06:52:02Z

yang-model tests are missing for LDAP, please add the same.

DONE

davidpil2002 · 2023-12-27T06:53:59Z

All comments was answered,
pls can you re-review/approve?
@shdasari @asha-behera @a-barboza @madhupalu

fastiuk · 2024-01-29T12:40:55Z

@a-barboza , could you please review? I saw you did HLD review as well

qiluo-msft · 2024-03-23T23:50:28Z

files/build_templates/sonic_debian_extension.j2

@@ -272,6 +272,19 @@ sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/sonic-device-data_*.deb || \
 # package for supporting password hardening
 sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install libpam-pwquality

+# Install pam-ldap, nss-ldap, ldap-utils


Install

Suggest to add build time config, so deployers not using LDAP could reduce image size, and reduce the security concerns.

Why should this be different than radius/tacacs? Why show different approaches for a feature in the same domain?

liat-grozovik · 2024-05-06T06:09:39Z

/azpw run Azure.sonic-buildimage

liat-grozovik

offline discussion confirms PR has no additional comments and thus can be merged.
if more comments will be provided after the merge it will be discussed and considered if change is required.

davidpil2002 requested a review from lguohan as a code owner October 23, 2023 13:05

davidpil2002 mentioned this pull request Oct 23, 2023

Add LDAP HLD sonic-net/SONiC#1487

Merged

davidpil2002 force-pushed the dev-add-ldap-support branch from 3593baf to c1cc33c Compare October 24, 2023 08:14

davidpil2002 requested a review from qiluo-msft as a code owner October 30, 2023 10:01

davidpil2002 mentioned this pull request Nov 7, 2023

Add LDAP feature support sonic-net/sonic-host-services#80

Merged

davidpil2002 force-pushed the dev-add-ldap-support branch 3 times, most recently from e34d037 to d3ac900 Compare December 3, 2023 10:22

qiluo-msft requested review from liuh-80 and madhupalu December 15, 2023 00:28

madhupalu reviewed Dec 15, 2023

View reviewed changes

src/sonic-yang-models/yang-models/sonic-system-ldap.yang Outdated Show resolved Hide resolved

src/sonic-yang-models/yang-models/sonic-system-ldap.yang Outdated Show resolved Hide resolved

src/sonic-yang-models/yang-models/sonic-system-ldap.yang Outdated Show resolved Hide resolved

a-barboza suggested changes Dec 15, 2023

View reviewed changes