NP, I almost got them switched in my previous reply too :-) (But I was typing with baby in lap)
henrik On Mon, Oct 3, 2011 at 8:33 PM, Daniel Nichter <[email protected]> wrote: > Oh no, now I'm confusing myself and everyone else. :-) Your terminology was > correct the first time. Let me try once more, and this time I'm going to pay > close attention to what I type: > > You write the pages for Authentication to cover auth_pam, and whatever other > auth plugins you want, and I'll write auth_schema page. > > I write the section on Authorization: simple_user_policy and regex_policy. > > -Daniel > > Le 3 oct. 2011 à 10:43, Henrik Ingo a écrit : > >> :-) >> >> Confusion of terminology: To me Authentication = the thing that uses >> username+password and auth_pam and auth_ldap are part of that. >> >> Authorization = GRANT and REVOKE = authenticated user is allowed / not >> allowed to do X. >> >> But I'm happy to cover auth_pam and auth_ldap, if you cover the basic >> auth_schema use case. >> >> Yeah, I don't think lot of people will use ldap (or even auth_pam, >> given the need to use plaintext passwords), but I selected it as >> "marketing feature" due to Oracle/MySQL recently announcing similar >> proprietary feature. I think it can get some publicity, and it's a >> "enterprise feature", even if most users wouldn't use it. >> >> henrik >> >> On Mon, Oct 3, 2011 at 7:05 PM, Daniel Nichter <[email protected]> wrote: >>> The reverse: you write Authorization so you can cover whichever auth_* >>> plugins you want (auth_pam, etc.), and I'll write Authentication since I >>> have a little insight into that. Does that work? >>> >>> Also, I agree about auth_ldap: it's pretty complex and I don't think LDAP >>> is very common in the Unix world. Afaik, LDAP is what Windows uses (or >>> did--I don't keep up with Windows). >>> >>> Le 3 oct. 2011 à 10:01, Henrik Ingo a écrit : >>> >>>> I agree with scoping of Administration. So will you also cover auth_ldap? >>>> >>>> FYI: I've spent today trying to get >>>> libdrizzle-2.0/libdrizzle/mysql_password_hash (renamed to >>>> drizzle_password_hash) and plugin/auth_ldap/schema/gentestusers.sh >>>> (renamed to drizzle_create_ldap_user) included in make install, so >>>> that also end users could benefit from them. I think while LDAP is a >>>> bit complex (and people complain about SQL!!) one good thing with >>>> auth_ldap is the fact you can actually use hashed passwords, and I'd >>>> like to make it easy for users to actually do that. >>>> >>>> I'll have to look at authorization/policy plugins, I have absolutely >>>> zero insight into that so far. >>>> >>>> henrik >>>> >>>> On Mon, Oct 3, 2011 at 5:56 PM, Daniel Nichter <[email protected]> wrote: >>>>> Henrik, >>>>> I was thinking that Administration entails Authentication and >>>>> Authorization. >>>>> The section on Authentication could cover (eventually) all of Drizzle's >>>>> auth plugins and other authentication-related information like how to make >>>>> the drizzle client work with those auth plugins by using --protocol >>>>> mysql-plugin-auth. And Authorization could talk about the various policy >>>>> plugins. >>>>> So maybe you could write Authorization for the auth plugins you want to >>>>> feature, and I can write Authentication? >>>>> As for auth_schema, I'm glad you like it. :-) I will have it ready to go >>>>> by the end of this week and then I'll propose it for merging, It's not >>>>> perfect yet, but I think it's useful enough. >>>>> -Daniel >>>>> Le 2 oct. 2011 à 14:39, Henrik Ingo a écrit : >>>>> >>>>> I picked ldap_auth and pam_auth for our focus areas: >>>>> https://blueprints.launchpad.net/drizzle/+spec/docs71-focus-areas I >>>>> now realize auth_schema should be included too, unless of course we >>>>> think it is implied by Administration. >>>>> >>>>> Basically I want to make sure that docs/index.rst in those 3 plugins >>>>> is usable for the average user. It seems it is mostly a question of >>>>> supplying a good example section in addition to the file you've >>>>> generated. When you say you want to document administration, do you >>>>> want to claim all of auth_pam/docs/index.rst for yourself? Feel free >>>>> to do so. I assume auth_schema is part of administration. >>>>> >>>>> I started today trying to understand ldap_auth. (And it seems to be a >>>>> rule that no matter how innocent things I do I end up changing >>>>> Makefile.am. In this case plugin/ldap_auth/ has material that is only >>>>> there if you work from bzr repository, so to document how to create >>>>> LDAP users, I first have to move a utility from noinst_PROGRAMS to >>>>> bin_PROGRAMS... >>>>> >>>>> From what I've learned today, auth_pam is a good authentication >>>>> method, except for the drawback that you end up using plaintext >>>>> passwords. auth_ldap actually has an advantage it is designed to store >>>>> the MySQL hashed passwords in a custom LDAP field, however it is way >>>>> too complex for the average user to setup. (It mostly just makes sense >>>>> if you already use LDAP.) >>>>> >>>>> A conclusion of the above is that I really appreciate you creating >>>>> auth_schema, and hope it is included in the beta because it is the >>>>> only alternative that is both secure and user friendly and should be >>>>> the default and recommended auth plugin. >>>>> >>>>> henrik >>>>> >>>>> >>>>> On Sun, Oct 2, 2011 at 7:34 PM, Daniel Nichter <[email protected]> wrote: >>>>> >>>>> Hi Henrik, >>>>> >>>>> Correct: I did not update the docs. When I update the Administration docs >>>>> for 7.1, I will mention it. What docs are you updating where it's >>>>> relevant? >>>>> >>>>> -Daniel >>>>> >>>>> Le 2 oct. 2011 à 03:15, Henrik Ingo a écrit : >>>>> >>>>> Hi Daniel >>>>> >>>>> Related to your work in figuring out PAM authentication and knowing >>>>> >>>>> that you worked a little on documentation, am I correct that you >>>>> >>>>> didn't update any docs for this? I was thinking to select this as a >>>>> >>>>> focus area where we should update the docs for 7.1 release. I'm >>>>> >>>>> volunteering to do it, and the info in your blog post is already >>>>> >>>>> sufficient, just wanted to check you are not sitting on some >>>>> >>>>> documentation that I don't see yet in trunk? >>>>> >>>>> henrik >>>>> >>>>> On Fri, Sep 9, 2011 at 4:52 AM, Daniel Nichter <[email protected]> wrote: >>>>> >>>>> This has been resolved: >>>>> http://hackdrizzle.com/authenticating-with-authentication-plugins/ >>>>> >>>>> Le 9 août 2011 à 18:12, Daniel Nichter a écrit : >>>>> >>>>> I'd like to draw attention to >>>>> https://bugs.launchpad.net/drizzle/+bug/823637: "auth_pam and auth_http do >>>>> not work". I think the reason is that the authentication system does not >>>>> pass authentication plugins a plaintext password, only a MySQL-scrambled >>>>> hash of the original plaintext password. I've verified that this is >>>>> problem >>>>> with auth_http by manually inserting a plaintext password. >>>>> >>>>> If this is the root problem, then I don't see how the authentication >>>>> system >>>>> will work because a MySQL password hash is only useful for MySQL, i.e. pam >>>>> and curl can't use it. Can the plaintext password still be accessed? >>>>> >>>>> -Daniel >>>>> >>>>> _______________________________________________ >>>>> >>>>> Mailing list: https://launchpad.net/~drizzle-discuss >>>>> >>>>> Post to : [email protected] >>>>> >>>>> Unsubscribe : https://launchpad.net/~drizzle-discuss >>>>> >>>>> More help : https://help.launchpad.net/ListHelp >>>>> >>>>> >>>>> _______________________________________________ >>>>> >>>>> Mailing list: https://launchpad.net/~drizzle-discuss >>>>> >>>>> Post to : [email protected] >>>>> >>>>> Unsubscribe : https://launchpad.net/~drizzle-discuss >>>>> >>>>> More help : https://help.launchpad.net/ListHelp >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> [email protected] >>>>> >>>>> +358-40-8211286 skype: henrik.ingo irc: hingo >>>>> >>>>> www.openlife.cc >>>>> >>>>> My LinkedIn profile: http://www.linkedin.com/profile/view?id=9522559 >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> [email protected] >>>>> +358-40-8211286 skype: henrik.ingo irc: hingo >>>>> www.openlife.cc >>>>> >>>>> My LinkedIn profile: http://www.linkedin.com/profile/view?id=9522559 >>>>> >>>>> >>>> >>>> >>>> >>>> -- >>>> [email protected] >>>> +358-40-8211286 skype: henrik.ingo irc: hingo >>>> www.openlife.cc >>>> >>>> My LinkedIn profile: http://www.linkedin.com/profile/view?id=9522559 >>> >>> >> >> >> >> -- >> [email protected] >> +358-40-8211286 skype: henrik.ingo irc: hingo >> www.openlife.cc >> >> My LinkedIn profile: http://www.linkedin.com/profile/view?id=9522559 > > -- [email protected] +358-40-8211286 skype: henrik.ingo irc: hingo www.openlife.cc My LinkedIn profile: http://www.linkedin.com/profile/view?id=9522559 _______________________________________________ Mailing list: https://launchpad.net/~drizzle-discuss Post to : [email protected] Unsubscribe : https://launchpad.net/~drizzle-discuss More help : https://help.launchpad.net/ListHelp
