FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora/Linux Management Tools

 
 
LinkBack Thread Tools
 
Old 11-27-2007, 06:49 AM
"Aaron Lippold"
 
Default Thoughts on Cobbler authorization/authentication and access levels in your organization?

Hi,

One of the features that would be good would be the abllity to
intagrate with NSS. Fedora / RedHat Directory server etc. I think
looking at mod_nss and the already existing pam, pam_pkcs11 etc would
really expand overall enterprise usage, at least for my use. I think
that usage of PAM, NSS, kerberos would provide a good baseline for the
largest set of use cases. Just my thoughts.

Yours,

Aaron

On Nov 26, 2007 4:51 PM, Michael DeHaan <mdehaan@redhat.com> wrote:
> Jack Neely wrote:
> > Michael,
> >
> > Here at NCSU I have an existing provisioning system that generates
> > kickstarts based on a set of "keyword [value [value...]]" rules. We'd
> > like to continue to use that as it works well for us...and it integrates
> > with Cobbler well.
> >
> > So given that, admins already have the ability to control/alter their
> > profiles in a defined way that scales well and lonely me can support.
> >
> > What I'd like from Cobbler is the ability for a select few admins (like
> > me) to be able to setup all the bits to make Cobbler distros/profiles
> > etc. work.
> >
> > Normal admins should be able to associate a MAC address with a profile
> > and remove said MAC. Actually, it would be great if an admin could
> > associate a hostname/IP address with a profile and Cobbler would run a
> > plugin to translate that into a MAC.
> >
>
> One of the things I thought about doing was creating a simpler page to
> just edit a systems mapping.
>
> Login would work as before, but the page could be as simple as what you
> mentioned above, a dropbox,
> and an ok button. CLI equivalents should work too...
> > Groups of admins as well. Any admin can modify MAC->profile of any
> > other admin provided both are in the same group.
> >
> > Authentication via kerberos (PAM probably) authorization done by auto
> > generated groups of admins (a plugin)?
> >
> Sounds reasonable.
> > Okay...some half-baked ideas about how I see a workflow here. If you
> > have questions please feel free.
> >
>
> Thanks! I've got some good feedback so far, so I'll try to summarize
> findings/plans shortly.
> If anyone else wants to share their thoughts on how they'd ideally like
> their site to work, please do.
> > Jack Neely
>
> >
>
> _______________________________________________
> et-mgmt-tools mailing list
> et-mgmt-tools@redhat.com
> https://www.redhat.com/mailman/listinfo/et-mgmt-tools
>

_______________________________________________
et-mgmt-tools mailing list
et-mgmt-tools@redhat.com
https://www.redhat.com/mailman/listinfo/et-mgmt-tools
 
Old 11-27-2007, 09:41 PM
"Aaron Lippold"
 
Default Thoughts on Cobbler authorization/authentication and access levels in your organization?

Hi,

Could http://www.freeipa.org/ offer up any quick wins?

Yours,

Aaron

On Nov 27, 2007 2:49 AM, Aaron Lippold <lippold@gmail.com> wrote:
> Hi,
>
> One of the features that would be good would be the abllity to
> intagrate with NSS. Fedora / RedHat Directory server etc. I think
> looking at mod_nss and the already existing pam, pam_pkcs11 etc would
> really expand overall enterprise usage, at least for my use. I think
> that usage of PAM, NSS, kerberos would provide a good baseline for the
> largest set of use cases. Just my thoughts.
>
> Yours,
>
> Aaron
>
>
> On Nov 26, 2007 4:51 PM, Michael DeHaan <mdehaan@redhat.com> wrote:
> > Jack Neely wrote:
> > > Michael,
> > >
> > > Here at NCSU I have an existing provisioning system that generates
> > > kickstarts based on a set of "keyword [value [value...]]" rules. We'd
> > > like to continue to use that as it works well for us...and it integrates
> > > with Cobbler well.
> > >
> > > So given that, admins already have the ability to control/alter their
> > > profiles in a defined way that scales well and lonely me can support.
> > >
> > > What I'd like from Cobbler is the ability for a select few admins (like
> > > me) to be able to setup all the bits to make Cobbler distros/profiles
> > > etc. work.
> > >
> > > Normal admins should be able to associate a MAC address with a profile
> > > and remove said MAC. Actually, it would be great if an admin could
> > > associate a hostname/IP address with a profile and Cobbler would run a
> > > plugin to translate that into a MAC.
> > >
> >
> > One of the things I thought about doing was creating a simpler page to
> > just edit a systems mapping.
> >
> > Login would work as before, but the page could be as simple as what you
> > mentioned above, a dropbox,
> > and an ok button. CLI equivalents should work too...
> > > Groups of admins as well. Any admin can modify MAC->profile of any
> > > other admin provided both are in the same group.
> > >
> > > Authentication via kerberos (PAM probably) authorization done by auto
> > > generated groups of admins (a plugin)?
> > >
> > Sounds reasonable.
> > > Okay...some half-baked ideas about how I see a workflow here. If you
> > > have questions please feel free.
> > >
> >
> > Thanks! I've got some good feedback so far, so I'll try to summarize
> > findings/plans shortly.
> > If anyone else wants to share their thoughts on how they'd ideally like
> > their site to work, please do.
> > > Jack Neely
> >
> > >
> >
> > _______________________________________________
> > et-mgmt-tools mailing list
> > et-mgmt-tools@redhat.com
> > https://www.redhat.com/mailman/listinfo/et-mgmt-tools
> >
>

_______________________________________________
et-mgmt-tools mailing list
et-mgmt-tools@redhat.com
https://www.redhat.com/mailman/listinfo/et-mgmt-tools
 
Old 11-27-2007, 09:56 PM
Michael DeHaan
 
Default Thoughts on Cobbler authorization/authentication and access levels in your organization?

Aaron Lippold wrote:

Hi,

Could http://www.freeipa.org/ offer up any quick wins?

Yours,

Aaron



Supporting kerberos and LDAP generically, and /enabling/ that kind of
support (probably including tutorial instructions for doing that with
the IPA stuff) is certaintly the plan.
We're not going to require Free IPA setup, however, as we want to
support existing installations, which probably have something they
already want to use.


The other (and slightly more interesting) part of course is getting the
permissions/ownership workflows right, and I've gotten some good
feedback on that so far as well.


--Michael


On Nov 27, 2007 2:49 AM, Aaron Lippold <lippold@gmail.com> wrote:


Hi,

One of the features that would be good would be the abllity to
intagrate with NSS. Fedora / RedHat Directory server etc. I think
looking at mod_nss and the already existing pam, pam_pkcs11 etc would
really expand overall enterprise usage, at least for my use. I think
that usage of PAM, NSS, kerberos would provide a good baseline for the
largest set of use cases. Just my thoughts.

Yours,

Aaron


On Nov 26, 2007 4:51 PM, Michael DeHaan <mdehaan@redhat.com> wrote:


Jack Neely wrote:


Michael,

Here at NCSU I have an existing provisioning system that generates
kickstarts based on a set of "keyword [value [value...]]" rules. We'd
like to continue to use that as it works well for us...and it integrates
with Cobbler well.

So given that, admins already have the ability to control/alter their
profiles in a defined way that scales well and lonely me can support.

What I'd like from Cobbler is the ability for a select few admins (like
me) to be able to setup all the bits to make Cobbler distros/profiles
etc. work.

Normal admins should be able to associate a MAC address with a profile
and remove said MAC. Actually, it would be great if an admin could
associate a hostname/IP address with a profile and Cobbler would run a
plugin to translate that into a MAC.



One of the things I thought about doing was creating a simpler page to
just edit a systems mapping.

Login would work as before, but the page could be as simple as what you
mentioned above, a dropbox,
and an ok button. CLI equivalents should work too...


Groups of admins as well. Any admin can modify MAC->profile of any
other admin provided both are in the same group.

Authentication via kerberos (PAM probably) authorization done by auto
generated groups of admins (a plugin)?



Sounds reasonable.


Okay...some half-baked ideas about how I see a workflow here. If you
have questions please feel free.



Thanks! I've got some good feedback so far, so I'll try to summarize
findings/plans shortly.
If anyone else wants to share their thoughts on how they'd ideally like
their site to work, please do.


Jack Neely


_______________________________________________
et-mgmt-tools mailing list
et-mgmt-tools@redhat.com
https://www.redhat.com/mailman/listinfo/et-mgmt-tools




_______________________________________________
et-mgmt-tools mailing list
et-mgmt-tools@redhat.com
https://www.redhat.com/mailman/listinfo/et-mgmt-tools



_______________________________________________
et-mgmt-tools mailing list
et-mgmt-tools@redhat.com
https://www.redhat.com/mailman/listinfo/et-mgmt-tools
 

Thread Tools




All times are GMT. The time now is 10:05 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org