I agree with scoping of Administration. So will you also cover auth_ldap? FYI: I've spent today trying to get libdrizzle-2.0/libdrizzle/mysql_password_hash (renamed to drizzle_password_hash) and plugin/auth_ldap/schema/gentestusers.sh (renamed to drizzle_create_ldap_user) included in make install, so that also end users could benefit from them. I think while LDAP is a bit complex (and people complain about SQL!!) one good thing with auth_ldap is the fact you can actually use hashed passwords, and I'd like to make it easy for users to actually do that.
I'll have to look at authorization/policy plugins, I have absolutely zero insight into that so far. henrik On Mon, Oct 3, 2011 at 5:56 PM, Daniel Nichter <[email protected]> wrote: > Henrik, > I was thinking that Administration entails Authentication and Authorization. > The section on Authentication could cover (eventually) all of Drizzle's > auth plugins and other authentication-related information like how to make > the drizzle client work with those auth plugins by using --protocol > mysql-plugin-auth. And Authorization could talk about the various policy > plugins. > So maybe you could write Authorization for the auth plugins you want to > feature, and I can write Authentication? > As for auth_schema, I'm glad you like it. :-) I will have it ready to go > by the end of this week and then I'll propose it for merging, It's not > perfect yet, but I think it's useful enough. > -Daniel > Le 2 oct. 2011 à 14:39, Henrik Ingo a écrit : > > I picked ldap_auth and pam_auth for our focus areas: > https://blueprints.launchpad.net/drizzle/+spec/docs71-focus-areas I > now realize auth_schema should be included too, unless of course we > think it is implied by Administration. > > Basically I want to make sure that docs/index.rst in those 3 plugins > is usable for the average user. It seems it is mostly a question of > supplying a good example section in addition to the file you've > generated. When you say you want to document administration, do you > want to claim all of auth_pam/docs/index.rst for yourself? Feel free > to do so. I assume auth_schema is part of administration. > > I started today trying to understand ldap_auth. (And it seems to be a > rule that no matter how innocent things I do I end up changing > Makefile.am. In this case plugin/ldap_auth/ has material that is only > there if you work from bzr repository, so to document how to create > LDAP users, I first have to move a utility from noinst_PROGRAMS to > bin_PROGRAMS... > > From what I've learned today, auth_pam is a good authentication > method, except for the drawback that you end up using plaintext > passwords. auth_ldap actually has an advantage it is designed to store > the MySQL hashed passwords in a custom LDAP field, however it is way > too complex for the average user to setup. (It mostly just makes sense > if you already use LDAP.) > > A conclusion of the above is that I really appreciate you creating > auth_schema, and hope it is included in the beta because it is the > only alternative that is both secure and user friendly and should be > the default and recommended auth plugin. > > henrik > > > On Sun, Oct 2, 2011 at 7:34 PM, Daniel Nichter <[email protected]> wrote: > > Hi Henrik, > > Correct: I did not update the docs. When I update the Administration docs > for 7.1, I will mention it. What docs are you updating where it's > relevant? > > -Daniel > > Le 2 oct. 2011 à 03:15, Henrik Ingo a écrit : > > Hi Daniel > > Related to your work in figuring out PAM authentication and knowing > > that you worked a little on documentation, am I correct that you > > didn't update any docs for this? I was thinking to select this as a > > focus area where we should update the docs for 7.1 release. I'm > > volunteering to do it, and the info in your blog post is already > > sufficient, just wanted to check you are not sitting on some > > documentation that I don't see yet in trunk? > > henrik > > On Fri, Sep 9, 2011 at 4:52 AM, Daniel Nichter <[email protected]> wrote: > > This has been resolved: > http://hackdrizzle.com/authenticating-with-authentication-plugins/ > > Le 9 août 2011 à 18:12, Daniel Nichter a écrit : > > I'd like to draw attention to > https://bugs.launchpad.net/drizzle/+bug/823637: "auth_pam and auth_http do > not work". I think the reason is that the authentication system does not > pass authentication plugins a plaintext password, only a MySQL-scrambled > hash of the original plaintext password. I've verified that this is problem > with auth_http by manually inserting a plaintext password. > > If this is the root problem, then I don't see how the authentication system > will work because a MySQL password hash is only useful for MySQL, i.e. pam > and curl can't use it. Can the plaintext password still be accessed? > > -Daniel > > _______________________________________________ > > Mailing list: https://launchpad.net/~drizzle-discuss > > Post to : [email protected] > > Unsubscribe : https://launchpad.net/~drizzle-discuss > > More help : https://help.launchpad.net/ListHelp > > > _______________________________________________ > > Mailing list: https://launchpad.net/~drizzle-discuss > > Post to : [email protected] > > Unsubscribe : https://launchpad.net/~drizzle-discuss > > More help : https://help.launchpad.net/ListHelp > > > > > -- > > [email protected] > > +358-40-8211286 skype: henrik.ingo irc: hingo > > www.openlife.cc > > My LinkedIn profile: http://www.linkedin.com/profile/view?id=9522559 > > > > > > -- > [email protected] > +358-40-8211286 skype: henrik.ingo irc: hingo > www.openlife.cc > > My LinkedIn profile: http://www.linkedin.com/profile/view?id=9522559 > > -- [email protected] +358-40-8211286 skype: henrik.ingo irc: hingo www.openlife.cc My LinkedIn profile: http://www.linkedin.com/profile/view?id=9522559 _______________________________________________ Mailing list: https://launchpad.net/~drizzle-discuss Post to : [email protected] Unsubscribe : https://launchpad.net/~drizzle-discuss More help : https://help.launchpad.net/ListHelp
