[et-mgmt-tools] Thoughts on Cobbler authorization/authentication and access levels in your organization?
Aaron Lippold
lippold at gmail.com
Tue Nov 27 22:41:56 UTC 2007
Hi,
Could http://www.freeipa.org/ offer up any quick wins?
Yours,
Aaron
On Nov 27, 2007 2:49 AM, Aaron Lippold <lippold at gmail.com> wrote:
> Hi,
>
> One of the features that would be good would be the abllity to
> intagrate with NSS. Fedora / RedHat Directory server etc. I think
> looking at mod_nss and the already existing pam, pam_pkcs11 etc would
> really expand overall enterprise usage, at least for my use. I think
> that usage of PAM, NSS, kerberos would provide a good baseline for the
> largest set of use cases. Just my thoughts.
>
> Yours,
>
> Aaron
>
>
> On Nov 26, 2007 4:51 PM, Michael DeHaan <mdehaan at redhat.com> wrote:
> > Jack Neely wrote:
> > > Michael,
> > >
> > > Here at NCSU I have an existing provisioning system that generates
> > > kickstarts based on a set of "keyword [value [value...]]" rules. We'd
> > > like to continue to use that as it works well for us...and it integrates
> > > with Cobbler well.
> > >
> > > So given that, admins already have the ability to control/alter their
> > > profiles in a defined way that scales well and lonely me can support.
> > >
> > > What I'd like from Cobbler is the ability for a select few admins (like
> > > me) to be able to setup all the bits to make Cobbler distros/profiles
> > > etc. work.
> > >
> > > Normal admins should be able to associate a MAC address with a profile
> > > and remove said MAC. Actually, it would be great if an admin could
> > > associate a hostname/IP address with a profile and Cobbler would run a
> > > plugin to translate that into a MAC.
> > >
> >
> > One of the things I thought about doing was creating a simpler page to
> > just edit a systems mapping.
> >
> > Login would work as before, but the page could be as simple as what you
> > mentioned above, a dropbox,
> > and an ok button. CLI equivalents should work too...
> > > Groups of admins as well. Any admin can modify MAC->profile of any
> > > other admin provided both are in the same group.
> > >
> > > Authentication via kerberos (PAM probably) authorization done by auto
> > > generated groups of admins (a plugin)?
> > >
> > Sounds reasonable.
> > > Okay...some half-baked ideas about how I see a workflow here. If you
> > > have questions please feel free.
> > >
> >
> > Thanks! I've got some good feedback so far, so I'll try to summarize
> > findings/plans shortly.
> > If anyone else wants to share their thoughts on how they'd ideally like
> > their site to work, please do.
> > > Jack Neely
> >
> > >
> >
> > _______________________________________________
> > et-mgmt-tools mailing list
> > et-mgmt-tools at redhat.com
> > https://www.redhat.com/mailman/listinfo/et-mgmt-tools
> >
>
More information about the et-mgmt-tools
mailing list