:-) Confusion of terminology: To me Authentication = the thing that uses username+password and auth_pam and auth_ldap are part of that.
Authorization = GRANT and REVOKE = authenticated user is allowed / not allowed to do X. But I'm happy to cover auth_pam and auth_ldap, if you cover the basic auth_schema use case. Yeah, I don't think lot of people will use ldap (or even auth_pam, given the need to use plaintext passwords), but I selected it as "marketing feature" due to Oracle/MySQL recently announcing similar proprietary feature. I think it can get some publicity, and it's a "enterprise feature", even if most users wouldn't use it. henrik On Mon, Oct 3, 2011 at 7:05 PM, Daniel Nichter <[email protected]> wrote: > The reverse: you write Authorization so you can cover whichever auth_* > plugins you want (auth_pam, etc.), and I'll write Authentication since I have > a little insight into that. Does that work? > > Also, I agree about auth_ldap: it's pretty complex and I don't think LDAP is > very common in the Unix world. Afaik, LDAP is what Windows uses (or did--I > don't keep up with Windows). > > Le 3 oct. 2011 à 10:01, Henrik Ingo a écrit : > >> I agree with scoping of Administration. So will you also cover auth_ldap? >> >> FYI: I've spent today trying to get >> libdrizzle-2.0/libdrizzle/mysql_password_hash (renamed to >> drizzle_password_hash) and plugin/auth_ldap/schema/gentestusers.sh >> (renamed to drizzle_create_ldap_user) included in make install, so >> that also end users could benefit from them. I think while LDAP is a >> bit complex (and people complain about SQL!!) one good thing with >> auth_ldap is the fact you can actually use hashed passwords, and I'd >> like to make it easy for users to actually do that. >> >> I'll have to look at authorization/policy plugins, I have absolutely >> zero insight into that so far. >> >> henrik >> >> On Mon, Oct 3, 2011 at 5:56 PM, Daniel Nichter <[email protected]> wrote: >>> Henrik, >>> I was thinking that Administration entails Authentication and Authorization. >>> The section on Authentication could cover (eventually) all of Drizzle's >>> auth plugins and other authentication-related information like how to make >>> the drizzle client work with those auth plugins by using --protocol >>> mysql-plugin-auth. And Authorization could talk about the various policy >>> plugins. >>> So maybe you could write Authorization for the auth plugins you want to >>> feature, and I can write Authentication? >>> As for auth_schema, I'm glad you like it. :-) I will have it ready to go >>> by the end of this week and then I'll propose it for merging, It's not >>> perfect yet, but I think it's useful enough. >>> -Daniel >>> Le 2 oct. 2011 à 14:39, Henrik Ingo a écrit : >>> >>> I picked ldap_auth and pam_auth for our focus areas: >>> https://blueprints.launchpad.net/drizzle/+spec/docs71-focus-areas I >>> now realize auth_schema should be included too, unless of course we >>> think it is implied by Administration. >>> >>> Basically I want to make sure that docs/index.rst in those 3 plugins >>> is usable for the average user. It seems it is mostly a question of >>> supplying a good example section in addition to the file you've >>> generated. When you say you want to document administration, do you >>> want to claim all of auth_pam/docs/index.rst for yourself? Feel free >>> to do so. I assume auth_schema is part of administration. >>> >>> I started today trying to understand ldap_auth. (And it seems to be a >>> rule that no matter how innocent things I do I end up changing >>> Makefile.am. In this case plugin/ldap_auth/ has material that is only >>> there if you work from bzr repository, so to document how to create >>> LDAP users, I first have to move a utility from noinst_PROGRAMS to >>> bin_PROGRAMS... >>> >>> From what I've learned today, auth_pam is a good authentication >>> method, except for the drawback that you end up using plaintext >>> passwords. auth_ldap actually has an advantage it is designed to store >>> the MySQL hashed passwords in a custom LDAP field, however it is way >>> too complex for the average user to setup. (It mostly just makes sense >>> if you already use LDAP.) >>> >>> A conclusion of the above is that I really appreciate you creating >>> auth_schema, and hope it is included in the beta because it is the >>> only alternative that is both secure and user friendly and should be >>> the default and recommended auth plugin. >>> >>> henrik >>> >>> >>> On Sun, Oct 2, 2011 at 7:34 PM, Daniel Nichter <[email protected]> wrote: >>> >>> Hi Henrik, >>> >>> Correct: I did not update the docs. When I update the Administration docs >>> for 7.1, I will mention it. What docs are you updating where it's >>> relevant? >>> >>> -Daniel >>> >>> Le 2 oct. 2011 à 03:15, Henrik Ingo a écrit : >>> >>> Hi Daniel >>> >>> Related to your work in figuring out PAM authentication and knowing >>> >>> that you worked a little on documentation, am I correct that you >>> >>> didn't update any docs for this? I was thinking to select this as a >>> >>> focus area where we should update the docs for 7.1 release. I'm >>> >>> volunteering to do it, and the info in your blog post is already >>> >>> sufficient, just wanted to check you are not sitting on some >>> >>> documentation that I don't see yet in trunk? >>> >>> henrik >>> >>> On Fri, Sep 9, 2011 at 4:52 AM, Daniel Nichter <[email protected]> wrote: >>> >>> This has been resolved: >>> http://hackdrizzle.com/authenticating-with-authentication-plugins/ >>> >>> Le 9 août 2011 à 18:12, Daniel Nichter a écrit : >>> >>> I'd like to draw attention to >>> https://bugs.launchpad.net/drizzle/+bug/823637: "auth_pam and auth_http do >>> not work". I think the reason is that the authentication system does not >>> pass authentication plugins a plaintext password, only a MySQL-scrambled >>> hash of the original plaintext password. I've verified that this is problem >>> with auth_http by manually inserting a plaintext password. >>> >>> If this is the root problem, then I don't see how the authentication system >>> will work because a MySQL password hash is only useful for MySQL, i.e. pam >>> and curl can't use it. Can the plaintext password still be accessed? >>> >>> -Daniel >>> >>> _______________________________________________ >>> >>> Mailing list: https://launchpad.net/~drizzle-discuss >>> >>> Post to : [email protected] >>> >>> Unsubscribe : https://launchpad.net/~drizzle-discuss >>> >>> More help : https://help.launchpad.net/ListHelp >>> >>> >>> _______________________________________________ >>> >>> Mailing list: https://launchpad.net/~drizzle-discuss >>> >>> Post to : [email protected] >>> >>> Unsubscribe : https://launchpad.net/~drizzle-discuss >>> >>> More help : https://help.launchpad.net/ListHelp >>> >>> >>> >>> >>> -- >>> >>> [email protected] >>> >>> +358-40-8211286 skype: henrik.ingo irc: hingo >>> >>> www.openlife.cc >>> >>> My LinkedIn profile: http://www.linkedin.com/profile/view?id=9522559 >>> >>> >>> >>> >>> >>> -- >>> [email protected] >>> +358-40-8211286 skype: henrik.ingo irc: hingo >>> www.openlife.cc >>> >>> My LinkedIn profile: http://www.linkedin.com/profile/view?id=9522559 >>> >>> >> >> >> >> -- >> [email protected] >> +358-40-8211286 skype: henrik.ingo irc: hingo >> www.openlife.cc >> >> My LinkedIn profile: http://www.linkedin.com/profile/view?id=9522559 > > -- [email protected] +358-40-8211286 skype: henrik.ingo irc: hingo www.openlife.cc My LinkedIn profile: http://www.linkedin.com/profile/view?id=9522559 _______________________________________________ Mailing list: https://launchpad.net/~drizzle-discuss Post to : [email protected] Unsubscribe : https://launchpad.net/~drizzle-discuss More help : https://help.launchpad.net/ListHelp
