> >From authz_ownership.py: > > # everybody can get read-only access to everything > # if they pass authorization, they don't have to be in users.conf
We're miscommunicating again. I think I should have said, "I want those who aren't in users.conf to have FULL access to Systems, but that's it." Not read-only access, but FULL access to systems. I want read-only access to everything else for them. On Thu, Aug 13, 2009 at 10:08 AM, Michael DeHaan<[email protected]> wrote: > On 08/13/2009 01:01 PM, Paul Company wrote: > > That's because it doesn't exist in user.conf :) > > > It is in user.conf, you're reading the wrong example. > Read the first thread in the post. > There's two examples (one that works, one that does not). > [email protected] is in the second example. > You referenced the first example. > > > Ok. > > > > Hence you have to edit the Apache file to reject users not in your ok list > as well. > > > I'm confused again. > Why would I do that? > I want all valid Kerberos users to succeed logging in. > > > Then you would not do that in your own personal case. > > An example if your are using the (for example) @redhat.com kerberos and you > only want people in a department > to access the server. Authn_passthru will admit anyone cleared by Apache, > regardless of how Apache is configured. > > For instance, if you were using authz_allowall you almost certaintly would > want to do this, and in most cases you'd also what to do this with > authz_ownership, because you didn't want the universe to create objects. > This is a site-specific security decision. > > Anyway, users.conf is for mapping users to groups for ownership flagging > purposes. That is basically it. > > Ownership works on an object by object basis. > > > I want those who aren't in users.conf to have access to Systems, but that's > it. > I want those who *are* in uses.conf (specifically the admins group) to > have full access. > > > Can that be done? > > > > Yes. > > >From authz_ownership.py: > > # everybody can get read-only access to everything > # if they pass authorization, they don't have to be in users.conf > > > > On Thu, Aug 13, 2009 at 9:31 AM, Michael DeHaan<[email protected]> wrote: > > > On 08/13/2009 12:23 PM, Paul Company wrote: > > Guessing -- I believe your username in the bottom example is > [email protected], > if that's what you logged in with, not pcompany. > > Was that it? > > > No, I can login as pcompany or [email protected] and neither works! > > It has something to do with the httpd stanza. > If you diff the stanzas, > > This works: > AuthType Basic > AuthName Cobbler > > This does not: > AuthType Kerberos > AuthName "Kerberos Login" > KrbServiceName HTTP > Krb5Keytab /etc/httpd/conf.d/HTTP.keytab > KrbAuthRealms EXAMPLE.COM > > I'm assuming the authz_ownership module receives the username from > somewhere and checks it against the user.conf file. > What passes the username to the authz_ownership module? > > > The username is the username you give to the login prompt. > > And how do I debug that? > It's acting like [email protected] does not exist in user.conf. > > > That's because it doesn't exist in user.conf :) > > > > # vi /etc/cobbler/users.conf > [admins] > admin = "" > cobbler = "" > pcompany = "" > :wq! > > > > You will be able to login through anything Kerberos allows, though what you > are able to do is governed by users.conf. > > Hence you have to edit the Apache file to reject users not in your ok list > as well. > > --Michael > > > > > > > _______________________________________________ > cobbler mailing list > [email protected] > https://fedorahosted.org/mailman/listinfo/cobbler > > > > > _______________________________________________ > cobbler mailing list > [email protected] > https://fedorahosted.org/mailman/listinfo/cobbler > > > _______________________________________________ > cobbler mailing list > [email protected] > https://fedorahosted.org/mailman/listinfo/cobbler > > _______________________________________________ cobbler mailing list [email protected] https://fedorahosted.org/mailman/listinfo/cobbler
