The reverse: you write Authorization so you can cover whichever auth_* plugins you want (auth_pam, etc.), and I'll write Authentication since I have a little insight into that. Does that work?
Also, I agree about auth_ldap: it's pretty complex and I don't think LDAP is very common in the Unix world. Afaik, LDAP is what Windows uses (or did--I don't keep up with Windows). Le 3 oct. 2011 à 10:01, Henrik Ingo a écrit : > I agree with scoping of Administration. So will you also cover auth_ldap? > > FYI: I've spent today trying to get > libdrizzle-2.0/libdrizzle/mysql_password_hash (renamed to > drizzle_password_hash) and plugin/auth_ldap/schema/gentestusers.sh > (renamed to drizzle_create_ldap_user) included in make install, so > that also end users could benefit from them. I think while LDAP is a > bit complex (and people complain about SQL!!) one good thing with > auth_ldap is the fact you can actually use hashed passwords, and I'd > like to make it easy for users to actually do that. > > I'll have to look at authorization/policy plugins, I have absolutely > zero insight into that so far. > > henrik > > On Mon, Oct 3, 2011 at 5:56 PM, Daniel Nichter <[email protected]> wrote: >> Henrik, >> I was thinking that Administration entails Authentication and Authorization. >> The section on Authentication could cover (eventually) all of Drizzle's >> auth plugins and other authentication-related information like how to make >> the drizzle client work with those auth plugins by using --protocol >> mysql-plugin-auth. And Authorization could talk about the various policy >> plugins. >> So maybe you could write Authorization for the auth plugins you want to >> feature, and I can write Authentication? >> As for auth_schema, I'm glad you like it. :-) I will have it ready to go >> by the end of this week and then I'll propose it for merging, It's not >> perfect yet, but I think it's useful enough. >> -Daniel >> Le 2 oct. 2011 à 14:39, Henrik Ingo a écrit : >> >> I picked ldap_auth and pam_auth for our focus areas: >> https://blueprints.launchpad.net/drizzle/+spec/docs71-focus-areas I >> now realize auth_schema should be included too, unless of course we >> think it is implied by Administration. >> >> Basically I want to make sure that docs/index.rst in those 3 plugins >> is usable for the average user. It seems it is mostly a question of >> supplying a good example section in addition to the file you've >> generated. When you say you want to document administration, do you >> want to claim all of auth_pam/docs/index.rst for yourself? Feel free >> to do so. I assume auth_schema is part of administration. >> >> I started today trying to understand ldap_auth. (And it seems to be a >> rule that no matter how innocent things I do I end up changing >> Makefile.am. In this case plugin/ldap_auth/ has material that is only >> there if you work from bzr repository, so to document how to create >> LDAP users, I first have to move a utility from noinst_PROGRAMS to >> bin_PROGRAMS... >> >> From what I've learned today, auth_pam is a good authentication >> method, except for the drawback that you end up using plaintext >> passwords. auth_ldap actually has an advantage it is designed to store >> the MySQL hashed passwords in a custom LDAP field, however it is way >> too complex for the average user to setup. (It mostly just makes sense >> if you already use LDAP.) >> >> A conclusion of the above is that I really appreciate you creating >> auth_schema, and hope it is included in the beta because it is the >> only alternative that is both secure and user friendly and should be >> the default and recommended auth plugin. >> >> henrik >> >> >> On Sun, Oct 2, 2011 at 7:34 PM, Daniel Nichter <[email protected]> wrote: >> >> Hi Henrik, >> >> Correct: I did not update the docs. When I update the Administration docs >> for 7.1, I will mention it. What docs are you updating where it's >> relevant? >> >> -Daniel >> >> Le 2 oct. 2011 à 03:15, Henrik Ingo a écrit : >> >> Hi Daniel >> >> Related to your work in figuring out PAM authentication and knowing >> >> that you worked a little on documentation, am I correct that you >> >> didn't update any docs for this? I was thinking to select this as a >> >> focus area where we should update the docs for 7.1 release. I'm >> >> volunteering to do it, and the info in your blog post is already >> >> sufficient, just wanted to check you are not sitting on some >> >> documentation that I don't see yet in trunk? >> >> henrik >> >> On Fri, Sep 9, 2011 at 4:52 AM, Daniel Nichter <[email protected]> wrote: >> >> This has been resolved: >> http://hackdrizzle.com/authenticating-with-authentication-plugins/ >> >> Le 9 août 2011 à 18:12, Daniel Nichter a écrit : >> >> I'd like to draw attention to >> https://bugs.launchpad.net/drizzle/+bug/823637: "auth_pam and auth_http do >> not work". I think the reason is that the authentication system does not >> pass authentication plugins a plaintext password, only a MySQL-scrambled >> hash of the original plaintext password. I've verified that this is problem >> with auth_http by manually inserting a plaintext password. >> >> If this is the root problem, then I don't see how the authentication system >> will work because a MySQL password hash is only useful for MySQL, i.e. pam >> and curl can't use it. Can the plaintext password still be accessed? >> >> -Daniel >> >> _______________________________________________ >> >> Mailing list: https://launchpad.net/~drizzle-discuss >> >> Post to : [email protected] >> >> Unsubscribe : https://launchpad.net/~drizzle-discuss >> >> More help : https://help.launchpad.net/ListHelp >> >> >> _______________________________________________ >> >> Mailing list: https://launchpad.net/~drizzle-discuss >> >> Post to : [email protected] >> >> Unsubscribe : https://launchpad.net/~drizzle-discuss >> >> More help : https://help.launchpad.net/ListHelp >> >> >> >> >> -- >> >> [email protected] >> >> +358-40-8211286 skype: henrik.ingo irc: hingo >> >> www.openlife.cc >> >> My LinkedIn profile: http://www.linkedin.com/profile/view?id=9522559 >> >> >> >> >> >> -- >> [email protected] >> +358-40-8211286 skype: henrik.ingo irc: hingo >> www.openlife.cc >> >> My LinkedIn profile: http://www.linkedin.com/profile/view?id=9522559 >> >> > > > > -- > [email protected] > +358-40-8211286 skype: henrik.ingo irc: hingo > www.openlife.cc > > My LinkedIn profile: http://www.linkedin.com/profile/view?id=9522559 _______________________________________________ Mailing list: https://launchpad.net/~drizzle-discuss Post to : [email protected] Unsubscribe : https://launchpad.net/~drizzle-discuss More help : https://help.launchpad.net/ListHelp
