I recently set up Cobbler passthru authentication using Apache basic
authentication with NIS. I modified the Apache config to look like this:
<Location "/cobbler_web">
AuthName "Cobbler WebUI"
AuthType Basic
PerlAuthenHandler Apache2::AuthenNIS
PerlAuthzHandler Apache2::AuthzNIS
PerlSetVar AllowAlternateAuth yes
SetHandler python-program
PythonHandler django.core.handlers.modpython
SetEnv DJANGO_SETTINGS_MODULE settings
PythonDebug On
PythonPath "['/usr/share/cobbler/web/'] + sys.path"
PythonAuthenHandler cobbler_web.views
</Location>
I've actually tried setting "PerlSetVar AllowAlternateAuth" to both yes and no
and got the same behavior.
And that behavior is this: when logging in, I am presented with the standard
HTTP Basic authentication box from my web browser, which once successfully
authenticated, drops me to the very basic Cobbler version page (you can get
back
to this by clicking on the Cobbler graphic in the upper left hand corner I've
found). It looks something like this:
Welcome to Cobbler 2.005.
Currently logged in as whardin.
While not normal usage, if I sit here and refresh this screen, the user name
displayed with cycle through the other users that have logged in recently. A
couple refreshes and I got this:
Welcome to Cobbler 2.005.
Currently logged in as whardin2.
A few more refreshes and I get other colleagues names.
From the cobbler.log it looks like this:
Tue Aug 31 10:32:59 2010 - INFO | REMOTE version; user(whardin2)
Tue Aug 31 10:33:44 2010 - INFO | REMOTE version; user(whardin2)
Tue Aug 31 10:33:45 2010 - INFO | REMOTE version; user(whardin)
Tue Aug 31 10:33:45 2010 - INFO | REMOTE version; user(whardin2)
Tue Aug 31 10:33:46 2010 - INFO | REMOTE version; user(pkarnik)
Tue Aug 31 10:33:47 2010 - INFO | REMOTE version; user(whardin2)
Tue Aug 31 10:33:47 2010 - INFO | REMOTE version; user(pkarnik)
Tue Aug 31 10:33:48 2010 - INFO | REMOTE version; user(whardin2)
Tue Aug 31 10:33:48 2010 - INFO | REMOTE version; user(whardin)
Tue Aug 31 10:33:50 2010 - INFO | REMOTE version; user(whardin2)
Tue Aug 31 10:33:51 2010 - INFO | REMOTE version; user(pkarnik)
Tue Aug 31 10:33:51 2010 - INFO | REMOTE version; user(whardin2)
Tue Aug 31 10:33:52 2010 - INFO | REMOTE version; user(whardin2)
When I had "PerlSetVar AllowAlternateAuth no", I would also get these messages
a
lot:
INFO | REMOTE version; user(???)
Setting "PerlSetVar AllowAlternateAuth yes" seems to make _a_ user name appear
pretty reliably, but _what_ user name still appears to be rather random.
I don't know if this is expected behavior but most operations seem to be
ignorant of the user. Most lines in the log end with "; user(?)" like the
following sample:
Tue Aug 31 10:32:58 2010 - DEBUG | REMOTE pkarnik authorization result: True;
user(?)
Tue Aug 31 10:32:58 2010 - INFO | REMOTE get_item(system,chdldtg001); user(?)
Tue Aug 31 10:32:58 2010 - INFO | REMOTE get_settings; user(?)
Tue Aug 31 10:32:58 2010 - DEBUG | REMOTE my settings are:
{'redhat_management_key': '', 'ldap_server':
'ldaps://maxdaldc01.maxim-ic.internal', 'build_reporting_enabled': 0,
'default_ownership': ['admin,testing'], 'yum_post_install_mirror': 1,
'allow_duplicate_ips': 0, 'yum_distro_priority': 1, 'manage_reverse_zones': [],
'template_remote_kickstarts': 0, 'mgmt_classes': [],
'redhat_management_permissive': 0, 'build_reporting_smtp_server':
'mailman.maxim-ic.com', 'yumdownloader_flags': '--resolve',
'register_new_installs': 0, 'server': 'dallsbs001.maxim-ic.com',
'scm_track_mode': 'git', 'run_install_triggers': 0, 'func_auto_setup': 0,
'ldap_anonymous_bind': 0, 'ldap_base_dn': 'OU=People,DC=maxim-ic,DC=internal',
'mgmt_parameters': {'from_cobbler': 0}, 'cobbler_master': '', 'pxe_just_once':
0, 'anamon_enabled': 0, 'default_virt_ram': 512, 'pxe_template_dir':
'/etc/cobbler/pxe', 'build_reporting_subject': '', 'power_template_dir':
'/etc/cobbler/power', 'build_reporting_to_address': '', 'ldap_tls': 1,
'snippetsdir': '/var/lib/cobbler/snippets', 'manage_dhcp': 0,
'allow_duplicate_macs': 0, 'default_kickstart':
'/var/lib/cobbler/kickstarts/default.ks', 'ldap_port': 636,
'redhat_management_type': 'off', 'next_server': '10.16.7.51', 'xmlrpc_port':
25151, 'build_reporting_sender': 'Dallas Cobbler', 'cheetah_import_whitelist':
['random', 're', 'time'], 'build_reporting_email':
['[email protected]'], 'kernel_options': {'ksdevice':
'bootif', 'text': None}, 'enable_menu': 1, 'redhat_management_server':
'xmlrpc.rhn.redhat.com', 'kerberos_realm': 'EXAMPLE.COM', 'manage_dns': 0,
'isc_set_host_name': 0, 'default_password_crypted':
'$1$Wk5ZnqLv$baBt/aMhtvoOCIDAOtaST.', 'webdir': '/var/www/cobbler',
'scm_track_enabled': 0, 'default_deployment_method': 'ssh',
'ldap_search_prefix': 'sAMAccountName=', 'virt_auto_boot': 0,
'default_name_servers': ['10.18.30.50'], 'default_virt_type': 'xenpv',
'reposync_flags': '-l -m -d', 'http_port': 80, 'kernel_options_s390x': {'vnc':
None, 'ramdisk_size': 40000, 'ip': False, 'ro': None, 'RUNKS': 1, 'root':
'/dev/ram0'}, 'allow_duplicate_hostnames': 0, 'default_virt_file_size': 5,
'ldap_search_bind_dn': 'CN=Plone
App,OU=ServiceAccounts,OU=Dallas,OU=Locations,DC=maxim-ic,DC=internal',
'restart_dhcp': 1, 'restart_dns': 0, 'default_virt_bridge': 'xenbr0',
'func_master': 'dallsbs001.maxim-ic.com', 'manage_forward_zones': [],
'ldap_search_passwd': 'DuvovNang5', 'createrepo_flags': '-c repocache --update
-C -s sha', 'default_name_servers_search': [], 'power_management_default_type':
'ipmitool'}; user(?)
At one point, I was even being denied access to modify objects, despite using
authz_allowall.
My modules.conf contains these lines:
[authentication]
module = authn_passthru
[authorization]
module = authz_allowall
Is this some failure of Apache and Cobbler to pass the user name? Is it a
Perl/Python conflict?
Thanks in advance for any assistance you may be able to provide.
--
/* Wes Hardin */
UNIX System Administrator, IT Engineering Support
Maxim Integrated Products: Innovation Delivered
_______________________________________________
cobbler mailing list
[email protected]
https://fedorahosted.org/mailman/listinfo/cobbler
