Hi guys
I am chiming in a little late, sorry currently on vacation, would it be
helpful if you guys had a howto doc for getting ldap all setup? I
probably wouldn't be able to help out on anything till next week sometime.
FYI I did the ldap schema part of for the auth_ldap plugin. LDAP is
extremely misunderstood and can be a little confusing at first but after
you get over the mountain of a learning curve its pretty easy :D.
Just thought I would toss my hat in and offer a little help on the
auth_ldap part if its needed.
Edward
On 10/03/2011 01:04 PM, Henrik Ingo wrote:
NP, I almost got them switched in my previous reply too :-) (But I was
typing with baby in lap)
henrik
On Mon, Oct 3, 2011 at 8:33 PM, Daniel Nichter<[email protected]> wrote:
Oh no, now I'm confusing myself and everyone else. :-) Your terminology was
correct the first time. Let me try once more, and this time I'm going to pay
close attention to what I type:
You write the pages for Authentication to cover auth_pam, and whatever other
auth plugins you want, and I'll write auth_schema page.
I write the section on Authorization: simple_user_policy and regex_policy.
-Daniel
Le 3 oct. 2011 à 10:43, Henrik Ingo a écrit :
:-)
Confusion of terminology: To me Authentication = the thing that uses
username+password and auth_pam and auth_ldap are part of that.
Authorization = GRANT and REVOKE = authenticated user is allowed / not
allowed to do X.
But I'm happy to cover auth_pam and auth_ldap, if you cover the basic
auth_schema use case.
Yeah, I don't think lot of people will use ldap (or even auth_pam,
given the need to use plaintext passwords), but I selected it as
"marketing feature" due to Oracle/MySQL recently announcing similar
proprietary feature. I think it can get some publicity, and it's a
"enterprise feature", even if most users wouldn't use it.
henrik
On Mon, Oct 3, 2011 at 7:05 PM, Daniel Nichter<[email protected]> wrote:
The reverse: you write Authorization so you can cover whichever auth_* plugins
you want (auth_pam, etc.), and I'll write Authentication since I have a little
insight into that. Does that work?
Also, I agree about auth_ldap: it's pretty complex and I don't think LDAP is
very common in the Unix world. Afaik, LDAP is what Windows uses (or did--I
don't keep up with Windows).
Le 3 oct. 2011 à 10:01, Henrik Ingo a écrit :
I agree with scoping of Administration. So will you also cover auth_ldap?
FYI: I've spent today trying to get
libdrizzle-2.0/libdrizzle/mysql_password_hash (renamed to
drizzle_password_hash) and plugin/auth_ldap/schema/gentestusers.sh
(renamed to drizzle_create_ldap_user) included in make install, so
that also end users could benefit from them. I think while LDAP is a
bit complex (and people complain about SQL!!) one good thing with
auth_ldap is the fact you can actually use hashed passwords, and I'd
like to make it easy for users to actually do that.
I'll have to look at authorization/policy plugins, I have absolutely
zero insight into that so far.
henrik
On Mon, Oct 3, 2011 at 5:56 PM, Daniel Nichter<[email protected]> wrote:
Henrik,
I was thinking that Administration entails Authentication and Authorization.
The section on Authentication could cover (eventually) all of Drizzle's
auth plugins and other authentication-related information like how to make
the drizzle client work with those auth plugins by using --protocol
mysql-plugin-auth. And Authorization could talk about the various policy
plugins.
So maybe you could write Authorization for the auth plugins you want to
feature, and I can write Authentication?
As for auth_schema, I'm glad you like it. :-) I will have it ready to go
by the end of this week and then I'll propose it for merging, It's not
perfect yet, but I think it's useful enough.
-Daniel
Le 2 oct. 2011 à 14:39, Henrik Ingo a écrit :
I picked ldap_auth and pam_auth for our focus areas:
https://blueprints.launchpad.net/drizzle/+spec/docs71-focus-areas I
now realize auth_schema should be included too, unless of course we
think it is implied by Administration.
Basically I want to make sure that docs/index.rst in those 3 plugins
is usable for the average user. It seems it is mostly a question of
supplying a good example section in addition to the file you've
generated. When you say you want to document administration, do you
want to claim all of auth_pam/docs/index.rst for yourself? Feel free
to do so. I assume auth_schema is part of administration.
I started today trying to understand ldap_auth. (And it seems to be a
rule that no matter how innocent things I do I end up changing
Makefile.am. In this case plugin/ldap_auth/ has material that is only
there if you work from bzr repository, so to document how to create
LDAP users, I first have to move a utility from noinst_PROGRAMS to
bin_PROGRAMS...
From what I've learned today, auth_pam is a good authentication
method, except for the drawback that you end up using plaintext
passwords. auth_ldap actually has an advantage it is designed to store
the MySQL hashed passwords in a custom LDAP field, however it is way
too complex for the average user to setup. (It mostly just makes sense
if you already use LDAP.)
A conclusion of the above is that I really appreciate you creating
auth_schema, and hope it is included in the beta because it is the
only alternative that is both secure and user friendly and should be
the default and recommended auth plugin.
henrik
On Sun, Oct 2, 2011 at 7:34 PM, Daniel Nichter<[email protected]> wrote:
Hi Henrik,
Correct: I did not update the docs. When I update the Administration docs
for 7.1, I will mention it. What docs are you updating where it's
relevant?
-Daniel
Le 2 oct. 2011 à 03:15, Henrik Ingo a écrit :
Hi Daniel
Related to your work in figuring out PAM authentication and knowing
that you worked a little on documentation, am I correct that you
didn't update any docs for this? I was thinking to select this as a
focus area where we should update the docs for 7.1 release. I'm
volunteering to do it, and the info in your blog post is already
sufficient, just wanted to check you are not sitting on some
documentation that I don't see yet in trunk?
henrik
On Fri, Sep 9, 2011 at 4:52 AM, Daniel Nichter<[email protected]> wrote:
This has been resolved:
http://hackdrizzle.com/authenticating-with-authentication-plugins/
Le 9 août 2011 à 18:12, Daniel Nichter a écrit :
I'd like to draw attention to
https://bugs.launchpad.net/drizzle/+bug/823637: "auth_pam and auth_http do
not work". I think the reason is that the authentication system does not
pass authentication plugins a plaintext password, only a MySQL-scrambled
hash of the original plaintext password. I've verified that this is problem
with auth_http by manually inserting a plaintext password.
If this is the root problem, then I don't see how the authentication system
will work because a MySQL password hash is only useful for MySQL, i.e. pam
and curl can't use it. Can the plaintext password still be accessed?
-Daniel
_______________________________________________
Mailing list: https://launchpad.net/~drizzle-discuss
Post to : [email protected]
Unsubscribe : https://launchpad.net/~drizzle-discuss
More help : https://help.launchpad.net/ListHelp
_______________________________________________
Mailing list: https://launchpad.net/~drizzle-discuss
Post to : [email protected]
Unsubscribe : https://launchpad.net/~drizzle-discuss
More help : https://help.launchpad.net/ListHelp
--
[email protected]
+358-40-8211286 skype: henrik.ingo irc: hingo
www.openlife.cc
My LinkedIn profile: http://www.linkedin.com/profile/view?id=9522559
--
[email protected]
+358-40-8211286 skype: henrik.ingo irc: hingo
www.openlife.cc
My LinkedIn profile: http://www.linkedin.com/profile/view?id=9522559
--
[email protected]
+358-40-8211286 skype: henrik.ingo irc: hingo
www.openlife.cc
My LinkedIn profile: http://www.linkedin.com/profile/view?id=9522559
--
[email protected]
+358-40-8211286 skype: henrik.ingo irc: hingo
www.openlife.cc
My LinkedIn profile: http://www.linkedin.com/profile/view?id=9522559
_______________________________________________
Mailing list: https://launchpad.net/~drizzle-discuss
Post to : [email protected]
Unsubscribe : https://launchpad.net/~drizzle-discuss
More help : https://help.launchpad.net/ListHelp
