[Date Prev][Date Next] [Thread Prev][Thread Next]
Re: Authentication nightmare under Fedora 7
- From: Craig White <craig tobyhouse com>
- To: tim birdsnest maths tcd ie, For users of Fedora <fedora-list redhat com>
- Subject: Re: Authentication nightmare under Fedora 7
- Date: Mon, 12 Nov 2007 15:58:55 -0700
On Mon, 2007-11-12 at 21:55 +0000, Timothy Murphy wrote:
> Craig White wrote:
> >> This led me to ponder authentication in Fedora.
> >> Is it really the complete shambles it seems to me to be?
> >> Are there several rival authentication methods:
> >> SASL, SSL, TLS, etc?
> >> How does one tell which to use?
> >> Is all this documented anywhere?
> >> I seem to have *.pem files all over the place.
> >> And how does all this fit in with /etc/pam.d/ ?
> >> And what does /etc/nsswitch.conf have to do with it?
> >> Is authentication under Fedora utterly confusing,
> >> or have I got hold of the wrong end of the stick?
> > ----
> > 1 - Your attitude is way off
> Well, thanks for responding anyway.
> I must say your reply tends to confirm that authentication in Fedora
> (possibly in Linux generally) is confusing,
> not because your answer is not clear, I hasten to add,
> but because there seem several methods available,
> and it is not at all clear in some cases -
> certainly in the case of openldap - which one you are meant to use.
> I think my attitude was fairly understandable,
> given that I spent two hours starting at my desktop
> (which I don't normally go near)
> after giving what seemed the harmless command "authconfig.gtk".
> I couldn't believe that this command could have the disastrous effect
> it did, with the system slowly dying bit-by-bit
> until it finally stopped altogether.
> > 2 - When LDAP protocol was originally, conceived, it had
> > absolutely nothing to do with user authentication...check
> > the historical usage for ldap.
> With respect, I've read a few documents on the history of ldap,
> and not found them at all helpful for my purpose,
> which is the not very grandiose task
> of setting up a system-wide address book on my home LAN.
> I'm actually using my web-server, so it is fairly important,
> I think, to use some kind of authentication.
> > 3 - There is absolutely no single method to use LDAP for
> > authentication - it's always left to the end users to
> > design and implement. That's why ever different author
> > has a different take on how to do things.
> This is probably the cause of my suffering.
> I looked at 3 or 4 documents on openldap,
> and as you say they seemed to be using different authentication methods.
> Actually, some of them seemed to suggest that the user (ie me)
> would know what to do, which is certainly not true in my case.
> > 4 - Implementing access points into various daemons/services
> > is clearly an exercise left up to the administrator...there
> > simply is no one way to do these things.
> But they (or you) could still tell me one way,
> and just mention that there are alternatives.
> > 5 - OpenLDAP manuals assume a very high level of
> > administrator knowledge.
> I'm not sure what you mean by administrator knowledge.
> I think of myself as reasonably adept at administration
> (I've certainly been doing it for a long time)
> and haven't really met anything like the same degree of confusion
> with authentication that I find with openldap.
> > 6 - You haven't even figured out what is authentication and
> > what is encryption...you probably need to do that.
> > - SSL = Encryption
> > - TLS = Encryption
> > - SASL = Encryption though to be fair, SASLAuthd is an
> > authentication system for sasl
> I must confess I'm not clear of the distinction.
> I would have thought encryption and authentication
> were inextricably linked.
> Presumably if one machine or program uses encryption
> it has to pass the data necessary for decryption
> to any other machine or program needing the encrypted information,
> and the passage of this data is the principal task of authentication,
> I would have thought.
> > 7 - starting system message bus hang is well understood and
> > has nothing to do with anything else...to fix, add the
> > following lines to /etc/ldap.conf
> Thanks very much - I did indeed deduce after some time
> that the problem lay with the message bus,
> and in fact my temporary solution was to stop the messagebus service.
> However, this certainly was not well understood by me.
> > timelimit 30
> > bind_timelimit 30
> > bind_policy soft
> > nss_initgroups_ignoreusers root,ldap
> I shall indeed add these lines.
> > too bad that authconfig doesn't do this for you.
> > 8 - I could not have made it more clear and my suggestion was
> > even seconded...if you want to learn about ldap - buy the
> > Gerald Carter book LDAP System Administration.
> Well, I'll certainly think about it;
> but my need for ldap is very limited, as I said,
> and it would not be high on my list of subjects I want to study in depth.
> > 9 - It is not LDAP authentication under fedora...it is LDAP
> > authentication that is confusing. User authentication is
> > but one potential use for LDAP.
> I believe you.
> Just as a postscript I might add that I have been driven to openldap
> as a solution to the address book problem
> after looking at vcard/jabber and mysql,
> which I would actually prefer to use if there was a reasonably simple
> and standard way of doing this.
> I like that idea that vcard can be used to pass address book entries
> to and from mobile phones.
> If any has any advice or suggestion on this topic
> I would be very interested and grateful.
there's nothing that says you have to do authentication at all -
especially if your intention is a workgroup driven address book.
The funny thing is - that book I've recommended to you twice now, is
cheap, simple and you would get it on a fairly quick run through - even
though it's outdated (you don't use ldbm any more).
If you get nothing else out of this, please get this...
LDAP is an erector set - there is no one way of building anything
including authentication for your
computer/network/services/daemons/etc., group address books or anything.
It's all an exercise left to the system administrator.
That's why no two web articles/books/walk-throughs will ever be the
When you start playing with it, it seems so confusing - then all of a
sudden - whammo - it clicks in. If you want to shorten the click-in
time... LDAP System Administration by Gerald Carter
[Date Prev][Date Next] [Thread Prev][Thread Next]