On 07.08.2015 [22:17:52 +0000], Kyle Flavin wrote: > I've set up a test Cobbler server to explore its permissions system. > I need to be able to allow different groups to have access to cobbler > through the WebUI, but only give them rights to change/create objects > they own. > > It looks like I can do this with a combination of the authn_ldap + > authz_ownership modules: > https://fedorahosted.org/cobbler/wiki/CustomizableAuthorization > > Using the docs, I was able to setup the Cobbler LDAP authentication on > my server, but it doesn't look like I can use LDAP groups within > /etc/cobbler/users.conf. Instead, I have to specify the actual > username like this: > > [admin] > admin = "" > cobbler = "" > myuser = "" > > I'd like to be able to add an LDAP group as follows: > > [admin] > admin = "" > cobbler = "" > mygroup = "" > > So I don't have to update user groups in two different places (LDAP > and Cobbler). > > Is that supported in some other way?
I don't believe so, but I'm not 100%. It should be pretty easy, I think, to either extend the existing ldap logic to pull in the groups (if specified in the query/config?), but that's not there right now. You could, alternatively, right another auth module that wraps (or copies) the ldap one and extend it appropriately to include group membership, to test at first. -Nish _______________________________________________ cobbler mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/cobbler
