[et-mgmt-tools] Cobbler 0.9.X/1.0 -- Integrating with Free IPA, Auth against LDAP, and Optional object ownership
Michael DeHaan
mdehaan at redhat.com
Tue Mar 25 22:20:22 UTC 2008
So today (Many thanks to Vito Laurenza and Simo Sorce), Cobbler is
getting pretty close to being able to auth the WebUI and XMLRPC requests
against LDAP (in fact, it works in git now), as opposed to the default
method of having users/passwords in a digest file. It's using TLS and
all that good stuff. I have early instructions up here:
https://fedorahosted.org/cobbler/wiki/CobblerWithLdap -- this is
something quite a few people have requested, so it should be nice to have.
In the simplest LDAP configuration (the default configuration does not
use/require LDAP), LDAP will provide authentication for web interface
users plus users of the XMLRPC API, with final authorization access
(yes/no) coming from whether the users are listed in
/etc/cobbler/users.conf.
(Kerberos is already supported, but rather roughly, so I'm still looking
to clean that up.)
After that is complete, we can work on adding the much requested concept
of object ownership -- i.e. "Alice can edit her own created objects, Bob
can edit his, and Admins can edit both". How we do that is still TBD
though it should be reasonably simple.
So once we roll out 0.9.X/1.0, the available authentication modes will be:
configfile (digest, which is the default), ldap, kerberos
And the available authentication modes will be:
allowall (which is the default), configfile (users list), ownership
Comments/questions/ideas welcome... I will also update the Web UI docs
with further pointers to these docs as this becomes available for testing.
I know others have mentioned further integration with LDAP in their
infrastructure, so if that's important, please share details as to what
you are looking for. I also have an RFE to consider LDB for storing
cobbler configurations, which could prove interesting as an option to
what we have know for storage (yaml or bsddb) -- this could further help
with LDAP integration if it makes sense.
--Michael
More information about the et-mgmt-tools
mailing list