On 08/14/2009 11:53 AM, Paul Company wrote:
Perhaps we could teach it to also try to look up the version without the @....
We're using Kerberos and it always passes user as<hostname>@<REALM>.
(I didn't include that in the example because I didn't want to muddy the waters)
So if you're interested in cobbler supporting Kerberos authentication
and authz_ownership
then you have to solve this issue.
I'm not sure we do, as long as there aren't users coming from multiple
realms with the same usernames.
Possible work arounds:
(1) Get mod_auth_kerb to pass user name without that part.
(2) Modify remote.py to strip it out.
As I mentioned previously, remote.py is the wrong place for the fix --
if anything authn_passthru.py is.
I'm not a python coder.
Can anyone show me a line of code that does that?
foo = foo.split("@")[0]
On Fri, Aug 14, 2009 at 6:37 AM, Michael DeHaan<[email protected]> wrote:
On 08/13/2009 09:40 PM, Paul Company wrote:
I've subscribed to the dev mailing list, but I'm waiting to be
accepted, so for now I'm posting here.
Running Cobbler 1.6.6 on RHEL 5.3
Here's the configuation:
# vi /etc/cobbler/modules.conf
[authentication]
module = authn_configfile
[authorization]
module = authz_ownership
:wq!
# htdigest /etc/cobbler/users.digest "Cobbler" pcompany
Adding user pcompany in realm Cobbler
New password: yaba
Re-type new password: yaba
# htdigest /etc/cobbler/users.digest "Cobbler" [email protected]
New password: daba
Re-type new password: daba
# vi /etc/cobbler/users.conf
[admins]
admin = ""
cobbler = ""
pcompany = ""
[email protected] = ""
:wq!
# vi /etc/httpd/conf.d/cobbler.conf
<Directory "/var/www/cobbler/web/">
AuthType Basic
AuthName Cobbler
Require valid-user
SetHandler mod_python
PythonAuthenHandler index
PythonHandler index
PythonPath "sys.path + ['/var/www/cobbler/web/']"
PythonDebug on
</Directory>
:wq!
# /etc/init.d/cobblerd restart
# /etc/init.d/httpd restart
Browse to the Web UI and login as (A) pcompany and (B) [email protected]:
(A1) Logging in as pcompany works fine. Authentication works.
(A2) Authorization for pcompany works.
pcompany has full permissions to
list/copy/modify/new/remove/save on distros, profiles, systems, repos,
kickstarts
This is because user.conf is parsed correctly and it finds pcompany.
(B1) Logging in as [email protected] works fine. Authentication works.
(B2) Authorization for [email protected] fails!
This is because user.conf is parsed incorrectly and it can not
find [email protected]
Here's what's left in the log, see line 1044
# cat /var/log/cobbler/cobblerd.log
2009-08-13 17:37:56,905 - api - login attempt; user([email protected])
2009-08-13 17:37:56,905 - api - authenticate; ['[email protected]',
'big long encryption string']
2009-08-13 17:37:56,906 - api - login succeeded; user([email protected])
2009-08-13 17:37:57,035 - api - calling authorize for resource
['new_system', None, None]; user([email protected])
2009-08-13 17:37:57,035 - api - Exception occured: cobbler.cexceptions.CX
2009-08-13 17:37:57,035 - api - Exception value: 'user does not have
access to resource: new_system'
2009-08-13 17:37:57,036 - api - Exception Info:
File "/usr/lib/python2.4/site-packages/cobbler/remote.py", line
1000, in check_access_no_fail
self.check_access(token,resource,arg1,arg2)
File "/usr/lib/python2.4/site-packages/cobbler/remote.py", line
1013, in check_access
rc = self.__authorize(token,resource,arg1,arg2)
File "/usr/lib/python2.4/site-packages/cobbler/remote.py", line
1044, in __authorize
raise CX(_("user does not have access to resource: %s") % resource)
Can anyone think of a quick fix?
I'm assuming it's choking on the @ symbol.
I tried quoting it, but that didn't work.
We probably have to modify /usr/lib/python2.4/site-packages/cobbler/remote.py?
Or whatever python module parses users.conf?
_______________________________________________
cobbler mailing list
[email protected]
https://fedorahosted.org/mailman/listinfo/cobbler
We're using standard python config parser for user.conf presently, so
not much can be done.
Perhaps we could teach it to also try to look up the version without the
@....
--Michael
_______________________________________________
cobbler mailing list
[email protected]
https://fedorahosted.org/mailman/listinfo/cobbler
_______________________________________________
cobbler mailing list
[email protected]
https://fedorahosted.org/mailman/listinfo/cobbler
_______________________________________________
cobbler mailing list
[email protected]
https://fedorahosted.org/mailman/listinfo/cobbler
