On 07.08.2015 [22:17:52 +0000], Kyle Flavin wrote:
I've set up a test Cobbler server to explore its permissions
system.
I need to be able to allow different groups to have access to cobbler
through the WebUI, but only give them rights to change/create objects
they own.
It looks like I can do this with a combination of the authn_ldap +
authz_ownership modules:
https://fedorahosted.org/cobbler/wiki/CustomizableAuthorization
Using the docs, I was able to setup the Cobbler LDAP authentication on
my server, but it doesn't look like I can use LDAP groups within
/etc/cobbler/users.conf. Instead, I have to specify the actual
username like this:
[admin]
admin = ""
cobbler = ""
myuser = ""
I'd like to be able to add an LDAP group as follows:
[admin]
admin = ""
cobbler = ""
mygroup = ""
So I don't have to update user groups in two different places (LDAP
and Cobbler).
Is that supported in some other way?
I don't believe so, but I'm not 100%. It should be pretty easy, I think,
to either extend the existing ldap logic to pull in the groups (if
specified in the query/config?), but that's not there right now. You
could, alternatively, right another auth module that wraps (or copies)
the ldap one and extend it appropriately to include group membership, to
test at first.
-Nish