Authentication nightmare under Fedora 7

Craig White craig at tobyhouse.com
Mon Nov 12 22:58:55 UTC 2007 

On Mon, 2007-11-12 at 21:55 +0000, Timothy Murphy wrote:
> Craig White wrote:
> 
> >> This led me to ponder authentication in Fedora.
> >> Is it really the complete shambles it seems to me to be?
> >> Are there several rival authentication methods:
> >> SASL, SSL, TLS, etc?
> >> How does one tell which to use?
> >> Is all this documented anywhere?
> >> I seem to have *.pem files all over the place.
> >> And how does all this fit in with /etc/pam.d/ ?
> >> And what does /etc/nsswitch.conf have to do with it?
> >> 
> >> Is authentication under Fedora utterly confusing,
> >> or have I got hold of the wrong end of the stick?
> > ----
> > 1 - Your attitude is way off
> 
> Well, thanks for responding anyway.
> I must say your reply tends to confirm that authentication in Fedora
> (possibly in Linux generally) is confusing,
> not because your answer is not clear, I hasten to add,
> but because there seem several methods available,
> and it is not at all clear in some cases - 
> certainly in the case of openldap - which one you are meant to use.
> 
> I think my attitude was fairly understandable,
> given that I spent two hours starting at my desktop
> (which I don't normally go near)
> after giving what seemed the harmless command "authconfig.gtk".
> I couldn't believe that this command could have the disastrous effect 
> it did, with the system slowly dying bit-by-bit
> until it finally stopped altogether.
>  
> > 2 - When LDAP protocol was originally, conceived, it had
> >     absolutely nothing to do with user authentication...check
> >     the historical usage for ldap.
> 
> With respect, I've read a few documents on the history of ldap,
> and not found them at all helpful for my purpose,
> which is the not very grandiose task
> of setting up a system-wide address book on my home LAN.
> I'm actually using my web-server, so it is fairly important,
> I think, to use some kind of authentication.
> 
> > 3 - There is absolutely no single method to use LDAP for
> >     authentication - it's always left to the end users to
> >     design and implement. That's why ever different author
> >     has a different take on how to do things.
> 
> This is probably the cause of my suffering.
> I looked at 3 or 4 documents on openldap,
> and as you say they seemed to be using different authentication methods.
> Actually, some of them seemed to suggest that the user (ie me)
> would know what to do, which is certainly not true in my case.
> 
> > 4 - Implementing access points into various daemons/services
> >     is clearly an exercise left up to the administrator...there
> >     simply is no one way to do these things.
> 
> But they (or you) could still tell me one way,
> and just mention that there are alternatives.
> 
> > 5 - OpenLDAP manuals assume a very high level of
> >     administrator knowledge.
> 
> I'm not sure what you mean by administrator knowledge.
> I think of myself as reasonably adept at administration
> (I've certainly been doing it for a long time)
> and haven't really met anything like the same degree of confusion
> with authentication that I find with openldap.
> 
> > 6 - You haven't even figured out what is authentication and
> >     what is encryption...you probably need to do that.
> >     - SSL = Encryption
> >     - TLS = Encryption
> >     - SASL = Encryption though to be fair, SASLAuthd is an
> >       authentication system for sasl
> 
> I must confess I'm not clear of the distinction.
> I would have thought encryption and authentication
> were inextricably linked.
> Presumably if one machine or program uses encryption
> it has to pass the data necessary for decryption
> to any other machine or program needing the encrypted information,
> and the passage of this data is the principal task of authentication,
> I would have thought.
> 
> > 7 - starting system message bus hang is well understood and
> >     has nothing to do with anything else...to fix, add the
> >     following lines to /etc/ldap.conf
> 
> Thanks very much - I did indeed deduce after some time
> that the problem lay with the message bus,
> and in fact my temporary solution was to stop the messagebus service.
> However, this certainly was not well understood by me.
> 
> >     timelimit 30
> >     bind_timelimit 30
> >     bind_policy soft
> >     nss_initgroups_ignoreusers root,ldap
> 
> I shall indeed add these lines. 
>  
> >     too bad that authconfig doesn't do this for you.
> 
> > 8 - I could not have made it more clear and my suggestion was
> >     even seconded...if you want to learn about ldap - buy the
> >     Gerald Carter book LDAP System Administration.
> 
> Well, I'll certainly think about it;
> but my need for ldap is very limited, as I said,
> and it would not be high on my list of subjects I want to study in depth.
> 
> > 9 - It is not LDAP authentication under fedora...it is LDAP
> >     authentication that is confusing. User authentication is
> >     but one potential use for LDAP.
> 
> I believe you.
> 
> Just as a postscript I might add that I have been driven to openldap
> as a solution to the address book problem
> after looking at vcard/jabber and mysql,
> which I would actually prefer to use if there was a reasonably simple
> and standard way of doing this.
> 
> I like that idea that vcard can be used to pass address book entries
> to and from mobile phones.
> 
> If any has any advice or suggestion on this topic
> I would be very interested and grateful.
----
there's nothing that says you have to do authentication at all -
especially if your intention is a workgroup driven address book.

The funny thing is - that book I've recommended to you twice now, is
cheap, simple and you would get it on a fairly quick run through - even
though it's outdated (you don't use ldbm any more).

If you get nothing else out of this, please get this...

LDAP is an erector set - there is no one way of building anything
including authentication for your
computer/network/services/daemons/etc., group address books or anything.

It's all an exercise left to the system administrator.

That's why no two web articles/books/walk-throughs will ever be the
same.

When you start playing with it, it seems so confusing - then all of a
sudden - whammo - it clicks in. If you want to shorten the click-in
time... LDAP System Administration by Gerald Carter

Craig

More information about the fedora-list mailing list