[et-mgmt-tools] Thoughts on Cobbler authorization/authentication and access levels in your organization?

Michael DeHaan mdehaan at redhat.com
Tue Nov 27 22:56:54 UTC 2007 

Aaron Lippold wrote:
> Hi,
>
> Could http://www.freeipa.org/ offer up any quick wins?
>
> Yours,
>
> Aaron
>   

Supporting kerberos and LDAP generically, and /enabling/ that kind of 
support (probably including tutorial instructions for doing that with 
the IPA stuff) is certaintly the plan.
We're not going to require Free IPA setup, however, as we want to 
support existing installations, which probably have something they 
already want to use.

The other (and slightly more interesting) part of course is getting the 
permissions/ownership workflows right, and I've gotten some good 
feedback on that so far as well.

--Michael

> On Nov 27, 2007 2:49 AM, Aaron Lippold <lippold at gmail.com> wrote:
>   
>> Hi,
>>
>> One of the features that would be good would be the abllity to
>> intagrate with NSS. Fedora / RedHat Directory server etc. I think
>> looking at mod_nss and the already existing pam, pam_pkcs11 etc would
>> really expand overall enterprise usage, at least for my use. I think
>> that usage of PAM, NSS, kerberos would provide a good baseline for the
>> largest set of use cases. Just my thoughts.
>>
>> Yours,
>>
>> Aaron
>>
>>
>> On Nov 26, 2007 4:51 PM, Michael DeHaan <mdehaan at redhat.com> wrote:
>>     
>>> Jack Neely wrote:
>>>       
>>>> Michael,
>>>>
>>>> Here at NCSU I have an existing provisioning system that generates
>>>> kickstarts based on a set of "keyword [value [value...]]" rules.  We'd
>>>> like to continue to use that as it works well for us...and it integrates
>>>> with Cobbler well.
>>>>
>>>> So given that, admins already have the ability to control/alter their
>>>> profiles in a defined way that scales well and lonely me can support.
>>>>
>>>> What I'd like from Cobbler is the ability for a select few admins (like
>>>> me) to be able to setup all the bits to make Cobbler distros/profiles
>>>> etc. work.
>>>>
>>>> Normal admins should be able to associate a MAC address with a profile
>>>> and remove said MAC.  Actually, it would be great if an admin could
>>>> associate a hostname/IP address with a profile and Cobbler would run a
>>>> plugin to translate that into a MAC.
>>>>
>>>>         
>>> One of the things I thought about doing was creating a simpler page to
>>> just edit a systems mapping.
>>>
>>> Login would work as before, but the page could be as simple as what you
>>> mentioned above, a dropbox,
>>> and an ok button. CLI equivalents should work too...
>>>       
>>>> Groups of admins as well.  Any admin can modify MAC->profile of any
>>>> other admin provided both are in the same group.
>>>>
>>>> Authentication via kerberos (PAM probably) authorization done by auto
>>>> generated groups of admins (a plugin)?
>>>>
>>>>         
>>> Sounds reasonable.
>>>       
>>>> Okay...some half-baked ideas about how I see a workflow here.  If you
>>>> have questions please feel free.
>>>>
>>>>         
>>> Thanks! I've got some good feedback so far, so I'll try to summarize
>>> findings/plans shortly.
>>> If anyone else wants to share their thoughts on how they'd ideally like
>>> their site to work, please do.
>>>       
>>>> Jack Neely
>>>>         
>>> _______________________________________________
>>> et-mgmt-tools mailing list
>>> et-mgmt-tools at redhat.com
>>> https://www.redhat.com/mailman/listinfo/et-mgmt-tools
>>>
>>>       
>
> _______________________________________________
> et-mgmt-tools mailing list
> et-mgmt-tools at redhat.com
> https://www.redhat.com/mailman/listinfo/et-mgmt-tools
>

More information about the et-mgmt-tools mailing list