Michael DeHaan wrote:
So today (Many thanks to Vito Laurenza and Simo Sorce), Cobbler is
getting pretty close to being able to auth the WebUI and XMLRPC
requests against LDAP (in fact, it works in git now), as opposed to
the default method of having users/passwords in a digest file. It's
using TLS and all that good stuff. I have early instructions up
here: https://fedorahosted.org/cobbler/wiki/CobblerWithLdap -- this
is something quite a few people have requested, so it should be nice
to have.
In the simplest LDAP configuration (the default configuration does not
use/require LDAP), LDAP will provide authentication for web interface
users plus users of the XMLRPC API, with final authorization access
(yes/no) coming from whether the users are listed in
/etc/cobbler/users.conf.
(Kerberos is already supported, but rather roughly, so I'm still
looking to clean that up.)
After that is complete, we can work on adding the much requested
concept of object ownership -- i.e. "Alice can edit her own created
objects, Bob can edit his, and Admins can edit both". How we do that
is still TBD though it should be reasonably simple.
So once we roll out 0.9.X/1.0, the available authentication modes will
be:
configfile (digest, which is the default), ldap, kerberos
And the available authentication modes will be:
allowall (which is the default), configfile (users list), ownership
Comments/questions/ideas welcome... I will also update the Web UI
docs with further pointers to these docs as this becomes available for
testing.
I know others have mentioned further integration with LDAP in their
infrastructure, so if that's important, please share details as to
what you are looking for. I also have an RFE to consider LDB for
storing cobbler configurations, which could prove interesting as an
option to what we have know for storage (yaml or bsddb) -- this could
further help with LDAP integration if it makes sense.
--Michael
_______________________________________________
et-mgmt-tools mailing list
et-mgmt-tools@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/et-mgmt-tools
I've updated this with some more information on the authorization
options... Ownership and simple Config File based
authorization are now implemented in git on the devel branch.
https://fedorahosted.org/cobbler/wiki/CustomizableAuthorization
I've also updated the LDAP page somewhat.
In the coming days I'll work on making the WebUI make ownership more
obvious (as opposed to just raising exceptions), making the WebUI be
able to list/edit ownership, and also figuring out what do when someone
wants to delete an object that your object depends on (a fun corner case
to be sure).
--Michael
_______________________________________________
et-mgmt-tools mailing list
et-mgmt-tools@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/et-mgmt-tools
