On Mon, 2007-11-12 at 21:55 +0000, Timothy Murphy wrote: > Craig White wrote: > > >> This led me to ponder authentication in Fedora. > >> Is it really the complete shambles it seems to me to be? > >> Are there several rival authentication methods: > >> SASL, SSL, TLS, etc? > >> How does one tell which to use? > >> Is all this documented anywhere? > >> I seem to have *.pem files all over the place. > >> And how does all this fit in with /etc/pam.d/ ? > >> And what does /etc/nsswitch.conf have to do with it? > >> > >> Is authentication under Fedora utterly confusing, > >> or have I got hold of the wrong end of the stick? > > ---- > > 1 - Your attitude is way off > > Well, thanks for responding anyway. > I must say your reply tends to confirm that authentication in Fedora > (possibly in Linux generally) is confusing, > not because your answer is not clear, I hasten to add, > but because there seem several methods available, > and it is not at all clear in some cases - > certainly in the case of openldap - which one you are meant to use. > > I think my attitude was fairly understandable, > given that I spent two hours starting at my desktop > (which I don't normally go near) > after giving what seemed the harmless command "authconfig.gtk". > I couldn't believe that this command could have the disastrous effect > it did, with the system slowly dying bit-by-bit > until it finally stopped altogether. > > > 2 - When LDAP protocol was originally, conceived, it had > > absolutely nothing to do with user authentication...check > > the historical usage for ldap. > > With respect, I've read a few documents on the history of ldap, > and not found them at all helpful for my purpose, > which is the not very grandiose task > of setting up a system-wide address book on my home LAN. > I'm actually using my web-server, so it is fairly important, > I think, to use some kind of authentication. > > > 3 - There is absolutely no single method to use LDAP for > > authentication - it's always left to the end users to > > design and implement. That's why ever different author > > has a different take on how to do things. > > This is probably the cause of my suffering. > I looked at 3 or 4 documents on openldap, > and as you say they seemed to be using different authentication methods. > Actually, some of them seemed to suggest that the user (ie me) > would know what to do, which is certainly not true in my case. > > > 4 - Implementing access points into various daemons/services > > is clearly an exercise left up to the administrator...there > > simply is no one way to do these things. > > But they (or you) could still tell me one way, > and just mention that there are alternatives. > > > 5 - OpenLDAP manuals assume a very high level of > > administrator knowledge. > > I'm not sure what you mean by administrator knowledge. > I think of myself as reasonably adept at administration > (I've certainly been doing it for a long time) > and haven't really met anything like the same degree of confusion > with authentication that I find with openldap. > > > 6 - You haven't even figured out what is authentication and > > what is encryption...you probably need to do that. > > - SSL = Encryption > > - TLS = Encryption > > - SASL = Encryption though to be fair, SASLAuthd is an > > authentication system for sasl > > I must confess I'm not clear of the distinction. > I would have thought encryption and authentication > were inextricably linked. > Presumably if one machine or program uses encryption > it has to pass the data necessary for decryption > to any other machine or program needing the encrypted information, > and the passage of this data is the principal task of authentication, > I would have thought. > > > 7 - starting system message bus hang is well understood and > > has nothing to do with anything else...to fix, add the > > following lines to /etc/ldap.conf > > Thanks very much - I did indeed deduce after some time > that the problem lay with the message bus, > and in fact my temporary solution was to stop the messagebus service. > However, this certainly was not well understood by me. > > > timelimit 30 > > bind_timelimit 30 > > bind_policy soft > > nss_initgroups_ignoreusers root,ldap > > I shall indeed add these lines. > > > too bad that authconfig doesn't do this for you. > > > 8 - I could not have made it more clear and my suggestion was > > even seconded...if you want to learn about ldap - buy the > > Gerald Carter book LDAP System Administration. > > Well, I'll certainly think about it; > but my need for ldap is very limited, as I said, > and it would not be high on my list of subjects I want to study in depth. > > > 9 - It is not LDAP authentication under fedora...it is LDAP > > authentication that is confusing. User authentication is > > but one potential use for LDAP. > > I believe you. > > Just as a postscript I might add that I have been driven to openldap > as a solution to the address book problem > after looking at vcard/jabber and mysql, > which I would actually prefer to use if there was a reasonably simple > and standard way of doing this. > > I like that idea that vcard can be used to pass address book entries > to and from mobile phones. > > If any has any advice or suggestion on this topic > I would be very interested and grateful. ---- there's nothing that says you have to do authentication at all - especially if your intention is a workgroup driven address book. The funny thing is - that book I've recommended to you twice now, is cheap, simple and you would get it on a fairly quick run through - even though it's outdated (you don't use ldbm any more). If you get nothing else out of this, please get this... LDAP is an erector set - there is no one way of building anything including authentication for your computer/network/services/daemons/etc., group address books or anything. It's all an exercise left to the system administrator. That's why no two web articles/books/walk-throughs will ever be the same. When you start playing with it, it seems so confusing - then all of a sudden - whammo - it clicks in. If you want to shorten the click-in time... LDAP System Administration by Gerald Carter Craig -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list