By default, the Cobbler WebUI and Web services authenticate against a digest file. All users in the digest file are "in". What if you want to authenticate against an external resource? Cobbler can do that too. These instructions can be used to make it authenticate against LDAP instead.
For the purposes of these instructions, we are authenticating against a new source install of FreeIPA -- though any LDAP install should work in the same manner.
\0. Install python-ldap
yum install python-ldap
/etc/cobbler/modules.conf change the authn/authz sections to
[authentication] module = authn_ldap [authorization] module = authz_configfile
The above specifies that you authenticating against LDAP and will
list which LDAP users are valid by looking at
/etc/cobbler/settings, set the following to appropriate
values to configure the LDAP parts. The values below are examples
that show us pointing to an LDAP server, which is not running on
the cobbler box, for authentication. Note that authorization is
seperate from authentication. We'll get to that later.
ldap_server : "grimlock.devel.redhat.com" ldap_base_dn : "DC=devel,DC=redhat,DC=com" ldap_port : 389 ldap_tls : 1
With Cobbler 1.3 and higher, you can add additional LDAP servers by separating the server names with a space in the ldap_server field.
\3. Now we have to configure OpenLDAP to know about the cert of the LDAP server. You only have to do this once on the cobbler box, not on each client box.
openssl s_client -connect servername:636
\4. Copy everything between BEGIN and END in the above output to
\5. Ensure that the CA certificate is correctly hashed
cd /etc/openldap/cacerts ln -s ldap.pem $(openssl x509 -hash -noout -in ldap.pem).0
On Red Hat and Fedora systems this can also be done using the cacertdir_rehash command:
/etc/openldap/ldap.conf to include the following:
TLS_CACERTDIR /etc/openldap/cacerts TLS_REQCERT allow
/etc/cobbler/users.conf to include the list of users
allowed access to cobbler resources. These must match names in
LDAP. The group names are just comments.
[dxs] mac = "" pete = "" jack = ""
\8. Done! Cobbler now authenticates against ldap instead of the
digest file, and you can limit what users can edit things by
The following trick lets you test your username/password combinations outside of the web app and may prove useful in verifying that your LDAP configuration is correct. replace $VERSION with your python version, for instance 2.4 or 2.5, etc.
# cp /usr/lib/python$VERSION/site-packages/cobbler/demo_connect.py /tmp/demo_connect.py # python /tmp/demo_connect.py --user=username --pass=password
Just run the above and look at the output. You should see a
traceback if problems are encountered, which may point to problems
in your configuration if you specified a valid username/password.
Restart cobblerd after changing
/etc/cobbler/settings (if you're not using Dynamic Settings) in order for
them to take effect.