Authentication nightmare under Fedora 7

Craig White craig at tobyhouse.com
Mon Nov 12 17:30:03 UTC 2007 

On Sun, 2007-11-11 at 13:35 +0000, Timothy Murphy wrote:
> I got into a terrible mess yesterday,
> when I ran authconfig.gtk on my desktop,
> checking the ldap checkbox.
> 
> This was one step in the saga of configuring openldap -
> possibly the worst-documented program in the history of computing.
> I actually have openldap working, but was trying to butter the cake
> by installing phpLDAPadmin .
> This again seemed to be working, but whatever I tried
> I got an authentication error.
> Hence the disastrous idea of running authconfig,
> which made the desktop seize up, and fail to re-boot,
> hanging at "Starting system message bus".
> I won't go into the subsequent torture,
> but it ended when I used Knoppix
> to delete all mention of ldap in /etc/nsswitch.conf .
> 
> This led me to ponder authentication in Fedora.
> Is it really the complete shambles it seems to me to be?
> Are there several rival authentication methods:
> SASL, SSL, TLS, etc?
> How does one tell which to use?
> Is all this documented anywhere?
> I seem to have *.pem files all over the place.
> And how does all this fit in with /etc/pam.d/ ?
> And what does /etc/nsswitch.conf have to do with it?
> 
> Is authentication under Fedora utterly confusing,
> or have I got hold of the wrong end of the stick?
----
1 - Your attitude is way off

2 - When LDAP protocol was originally, conceived, it had 
    absolutely nothing to do with user authentication...check
    the historical usage for ldap.

3 - There is absolutely no single method to use LDAP for
    authentication - it's always left to the end users to 
    design and implement. That's why ever different author 
    has a different take on how to do things.

4 - Implementing access points into various daemons/services
    is clearly an exercise left up to the administrator...there
    simply is no one way to do these things.

5 - OpenLDAP manuals assume a very high level of 
    administrator knowledge.

6 - You haven't even figured out what is authentication and
    what is encryption...you probably need to do that.
    - SSL = Encryption
    - TLS = Encryption
    - SASL = Encryption though to be fair, SASLAuthd is an
      authentication system for sasl

7 - starting system message bus hang is well understood and
    has nothing to do with anything else...to fix, add the
    following lines to /etc/ldap.conf

    timelimit 30
    bind_timelimit 30
    bind_policy soft
    nss_initgroups_ignoreusers root,ldap

    too bad that authconfig doesn't do this for you.

8 - I could not have made it more clear and my suggestion was 
    even seconded...if you want to learn about ldap - buy the
    Gerald Carter book LDAP System Administration.

9 - It is not LDAP authentication under fedora...it is LDAP
    authentication that is confusing. User authentication is
    but one potential use for LDAP. 

Craig

More information about the fedora-list mailing list