Ok Edward, this is for you. If you want to help, have a look at https://code.launchpad.net/~hingo/drizzle/drizzle-docs71
I wrestled with the build system so that the files from plugin/auth_ldap/schema/ are now installed by a make install. I also renamed them, but since you've seen this before you should recognize them. So this is what it looks like after make install: hingo@mermaid:~/hacking/drizzle/builds/ldap$ ls bin include lib sbin share var hingo@mermaid:~/hacking/drizzle/builds/ldap$ ls bin drizzle drizzlebackup.innobase drizzledump drizzleimport drizzle_password_hash drizzleslap drizzletrx hingo@mermaid:~/hacking/drizzle/builds/ldap$ ls share/drizzle7/ drizzle_create_ldap_user drizzle_openldap.ldif drizzle_openldap.schema README.auth_ldap hingo@mermaid:~/hacking/drizzle/builds/ldap$ bin/drizzle_password_hash secret 14E65567ABDB5135D0CFD9A70B3032C179A49EE7 hingo@mermaid:~/hacking/drizzle/builds/ldap$ share/drizzle7/drizzle_create_ldap_user -h Arguement options are: -p: password to use for password -b: path to mysql_password_hash -u: username to generate users from -n: number of users to generate -l: base ldap dn to use for user generation -d: debug share/drizzle7/drizzle_create_ldap_user is a script used to generate users to test drizzles mysql auth integration with ldap. if "-b" is set users will be generated with attribute drizzleUserMysqlPassword Script dumps all information to stdout so end user can decide what they want to do with output. hingo@mermaid:~/hacking/drizzle/builds/ldap$ share/drizzle7/drizzle_create_ldap_user -p secret -b bin/drizzle_password_hash -u johndoe -n 1 -l "ou=people,dc=example,dc=com" dn: uid=johndoe0,ou=people,dc=example,dc=com objectclass: top objectclass: posixAccount objectclass: account objectclass: drizzleUser drizzleUserMysqlPassword: 14E65567ABDB5135D0CFD9A70B3032C179A49EE7 uidNumber: 500 gidNumber: 500 uid: johndoe0 homeDirectory: /home/johndoe0 loginshell: /sbin/nologin userPassword: secret cn: johndoe0 We now have plugin documentation in plugin/auth_ldap/docs/index.rst. If you want to write a howto on using LDAP based authentication, then you could just write that into the Examples section there and send a merge request to the above branch. Alternatively, if you just want to write a HowTo as a text file and email it, I'm happy to do that too. Either way, please use bin/drizzle_password_hash and share/drizzle7/drizzle_create_ldap_user and share/drizzle7/drizzle_openldap.ldif as I showed above for the examples. (Unless you have a good reason why you don't want to do that, then I'm curious to know what is a better way!) Also, I found you on launchpad and subscribed you to: https://blueprints.launchpad.net/drizzle/+spec/docs71-focus-areas Please keep us updated when you start working. I'll look at documenting auth_pam next, but will continue to keep on eye on this too. henrik PS: Daniel: spotted your 7.1-docs branch. You've been busy, nice work! On Tue, Oct 4, 2011 at 9:37 AM, Henrik Ingo <[email protected]> wrote: > Hi Edward > > Yes, your name sounded familiar I now realize it's in one of the files :-) > > I think that would be helpful and very welcome. I was reading > https://help.ubuntu.com/11.04/serverguide/C/openldap-server.html to > get started and I can create users to the inetorgperson schema and > also successfully added the drizzle.ldif to it. But it's not like I > really know what I'm doing :-) > > I managed yesterday to hack the pandora-build script that Drizzle uses > on top of Autotools so that mysql_password_hash from libdrizzle-2.0 > and gentestuser.sh, drizzle.schema and drizzle.ldif are included in > make install. I will make such a branch available in a few hours so > you can see what it looks like. > > So I was thinking the manual entry should have > > - very short instructions to get basic openldap installed and > running, with some basic schema like inetorgperson. > - instructions where to find and how to install the drizzle.ldif > - instructions should use gentestuser.sh and mysql_password_hash > (which I have renamed to drizzle_... ) > - simple login > - whatever else you think is useful > > I'll send a link to my modified branch shortly... > > henrik > > > On Tue, Oct 4, 2011 at 2:12 AM, Edward "koko" Konetzko > <[email protected]> wrote: >> Hi guys >> >> I am chiming in a little late, sorry currently on vacation, would it be >> helpful if you guys had a howto doc for getting ldap all setup? I probably >> wouldn't be able to help out on anything till next week sometime. >> >> FYI I did the ldap schema part of for the auth_ldap plugin. LDAP is >> extremely misunderstood and can be a little confusing at first but after you >> get over the mountain of a learning curve its pretty easy :D. >> >> Just thought I would toss my hat in and offer a little help on the auth_ldap >> part if its needed. >> >> Edward >> >> >> >> On 10/03/2011 01:04 PM, Henrik Ingo wrote: >>> >>> NP, I almost got them switched in my previous reply too :-) (But I was >>> typing with baby in lap) >>> >>> henrik >>> >>> On Mon, Oct 3, 2011 at 8:33 PM, Daniel Nichter<[email protected]> wrote: >>>> >>>> Oh no, now I'm confusing myself and everyone else. :-) Your terminology >>>> was correct the first time. Let me try once more, and this time I'm going >>>> to pay close attention to what I type: >>>> >>>> You write the pages for Authentication to cover auth_pam, and whatever >>>> other auth plugins you want, and I'll write auth_schema page. >>>> >>>> I write the section on Authorization: simple_user_policy and >>>> regex_policy. >>>> >>>> -Daniel >>>> >>>> Le 3 oct. 2011 à 10:43, Henrik Ingo a écrit : >>>> >>>>> :-) >>>>> >>>>> Confusion of terminology: To me Authentication = the thing that uses >>>>> username+password and auth_pam and auth_ldap are part of that. >>>>> >>>>> Authorization = GRANT and REVOKE = authenticated user is allowed / not >>>>> allowed to do X. >>>>> >>>>> But I'm happy to cover auth_pam and auth_ldap, if you cover the basic >>>>> auth_schema use case. >>>>> >>>>> Yeah, I don't think lot of people will use ldap (or even auth_pam, >>>>> given the need to use plaintext passwords), but I selected it as >>>>> "marketing feature" due to Oracle/MySQL recently announcing similar >>>>> proprietary feature. I think it can get some publicity, and it's a >>>>> "enterprise feature", even if most users wouldn't use it. >>>>> >>>>> henrik >>>>> >>>>> On Mon, Oct 3, 2011 at 7:05 PM, Daniel Nichter<[email protected]> >>>>> wrote: >>>>>> >>>>>> The reverse: you write Authorization so you can cover whichever auth_* >>>>>> plugins you want (auth_pam, etc.), and I'll write Authentication since I >>>>>> have a little insight into that. Does that work? >>>>>> >>>>>> Also, I agree about auth_ldap: it's pretty complex and I don't think >>>>>> LDAP is very common in the Unix world. Afaik, LDAP is what Windows uses >>>>>> (or >>>>>> did--I don't keep up with Windows). >>>>>> >>>>>> Le 3 oct. 2011 à 10:01, Henrik Ingo a écrit : >>>>>> >>>>>>> I agree with scoping of Administration. So will you also cover >>>>>>> auth_ldap? >>>>>>> >>>>>>> FYI: I've spent today trying to get >>>>>>> libdrizzle-2.0/libdrizzle/mysql_password_hash (renamed to >>>>>>> drizzle_password_hash) and plugin/auth_ldap/schema/gentestusers.sh >>>>>>> (renamed to drizzle_create_ldap_user) included in make install, so >>>>>>> that also end users could benefit from them. I think while LDAP is a >>>>>>> bit complex (and people complain about SQL!!) one good thing with >>>>>>> auth_ldap is the fact you can actually use hashed passwords, and I'd >>>>>>> like to make it easy for users to actually do that. >>>>>>> >>>>>>> I'll have to look at authorization/policy plugins, I have absolutely >>>>>>> zero insight into that so far. >>>>>>> >>>>>>> henrik >>>>>>> >>>>>>> On Mon, Oct 3, 2011 at 5:56 PM, Daniel Nichter<[email protected]> >>>>>>> wrote: >>>>>>>> >>>>>>>> Henrik, >>>>>>>> I was thinking that Administration entails Authentication and >>>>>>>> Authorization. >>>>>>>> The section on Authentication could cover (eventually) all of >>>>>>>> Drizzle's >>>>>>>> auth plugins and other authentication-related information like how to >>>>>>>> make >>>>>>>> the drizzle client work with those auth plugins by using --protocol >>>>>>>> mysql-plugin-auth. And Authorization could talk about the various >>>>>>>> policy >>>>>>>> plugins. >>>>>>>> So maybe you could write Authorization for the auth plugins you want >>>>>>>> to >>>>>>>> feature, and I can write Authentication? >>>>>>>> As for auth_schema, I'm glad you like it. :-) I will have it ready >>>>>>>> to go >>>>>>>> by the end of this week and then I'll propose it for merging, It's >>>>>>>> not >>>>>>>> perfect yet, but I think it's useful enough. >>>>>>>> -Daniel >>>>>>>> Le 2 oct. 2011 à 14:39, Henrik Ingo a écrit : >>>>>>>> >>>>>>>> I picked ldap_auth and pam_auth for our focus areas: >>>>>>>> https://blueprints.launchpad.net/drizzle/+spec/docs71-focus-areas I >>>>>>>> now realize auth_schema should be included too, unless of course we >>>>>>>> think it is implied by Administration. >>>>>>>> >>>>>>>> Basically I want to make sure that docs/index.rst in those 3 plugins >>>>>>>> is usable for the average user. It seems it is mostly a question of >>>>>>>> supplying a good example section in addition to the file you've >>>>>>>> generated. When you say you want to document administration, do you >>>>>>>> want to claim all of auth_pam/docs/index.rst for yourself? Feel free >>>>>>>> to do so. I assume auth_schema is part of administration. >>>>>>>> >>>>>>>> I started today trying to understand ldap_auth. (And it seems to be a >>>>>>>> rule that no matter how innocent things I do I end up changing >>>>>>>> Makefile.am. In this case plugin/ldap_auth/ has material that is only >>>>>>>> there if you work from bzr repository, so to document how to create >>>>>>>> LDAP users, I first have to move a utility from noinst_PROGRAMS to >>>>>>>> bin_PROGRAMS... >>>>>>>> >>>>>>>> From what I've learned today, auth_pam is a good authentication >>>>>>>> method, except for the drawback that you end up using plaintext >>>>>>>> passwords. auth_ldap actually has an advantage it is designed to >>>>>>>> store >>>>>>>> the MySQL hashed passwords in a custom LDAP field, however it is way >>>>>>>> too complex for the average user to setup. (It mostly just makes >>>>>>>> sense >>>>>>>> if you already use LDAP.) >>>>>>>> >>>>>>>> A conclusion of the above is that I really appreciate you creating >>>>>>>> auth_schema, and hope it is included in the beta because it is the >>>>>>>> only alternative that is both secure and user friendly and should be >>>>>>>> the default and recommended auth plugin. >>>>>>>> >>>>>>>> henrik >>>>>>>> >>>>>>>> >>>>>>>> On Sun, Oct 2, 2011 at 7:34 PM, Daniel Nichter<[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>> Hi Henrik, >>>>>>>> >>>>>>>> Correct: I did not update the docs. When I update the Administration >>>>>>>> docs >>>>>>>> for 7.1, I will mention it. What docs are you updating where it's >>>>>>>> relevant? >>>>>>>> >>>>>>>> -Daniel >>>>>>>> >>>>>>>> Le 2 oct. 2011 à 03:15, Henrik Ingo a écrit : >>>>>>>> >>>>>>>> Hi Daniel >>>>>>>> >>>>>>>> Related to your work in figuring out PAM authentication and knowing >>>>>>>> >>>>>>>> that you worked a little on documentation, am I correct that you >>>>>>>> >>>>>>>> didn't update any docs for this? I was thinking to select this as a >>>>>>>> >>>>>>>> focus area where we should update the docs for 7.1 release. I'm >>>>>>>> >>>>>>>> volunteering to do it, and the info in your blog post is already >>>>>>>> >>>>>>>> sufficient, just wanted to check you are not sitting on some >>>>>>>> >>>>>>>> documentation that I don't see yet in trunk? >>>>>>>> >>>>>>>> henrik >>>>>>>> >>>>>>>> On Fri, Sep 9, 2011 at 4:52 AM, Daniel Nichter<[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>> This has been resolved: >>>>>>>> http://hackdrizzle.com/authenticating-with-authentication-plugins/ >>>>>>>> >>>>>>>> Le 9 août 2011 à 18:12, Daniel Nichter a écrit : >>>>>>>> >>>>>>>> I'd like to draw attention to >>>>>>>> https://bugs.launchpad.net/drizzle/+bug/823637: "auth_pam and >>>>>>>> auth_http do >>>>>>>> not work". I think the reason is that the authentication system does >>>>>>>> not >>>>>>>> pass authentication plugins a plaintext password, only a >>>>>>>> MySQL-scrambled >>>>>>>> hash of the original plaintext password. I've verified that this is >>>>>>>> problem >>>>>>>> with auth_http by manually inserting a plaintext password. >>>>>>>> >>>>>>>> If this is the root problem, then I don't see how the authentication >>>>>>>> system >>>>>>>> will work because a MySQL password hash is only useful for MySQL, >>>>>>>> i.e. pam >>>>>>>> and curl can't use it. Can the plaintext password still be accessed? >>>>>>>> >>>>>>>> -Daniel >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> >>>>>>>> Mailing list: https://launchpad.net/~drizzle-discuss >>>>>>>> >>>>>>>> Post to : [email protected] >>>>>>>> >>>>>>>> Unsubscribe : https://launchpad.net/~drizzle-discuss >>>>>>>> >>>>>>>> More help : https://help.launchpad.net/ListHelp >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> >>>>>>>> Mailing list: https://launchpad.net/~drizzle-discuss >>>>>>>> >>>>>>>> Post to : [email protected] >>>>>>>> >>>>>>>> Unsubscribe : https://launchpad.net/~drizzle-discuss >>>>>>>> >>>>>>>> More help : https://help.launchpad.net/ListHelp >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> >>>>>>>> [email protected] >>>>>>>> >>>>>>>> +358-40-8211286 skype: henrik.ingo irc: hingo >>>>>>>> >>>>>>>> www.openlife.cc >>>>>>>> >>>>>>>> My LinkedIn profile: http://www.linkedin.com/profile/view?id=9522559 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> [email protected] >>>>>>>> +358-40-8211286 skype: henrik.ingo irc: hingo >>>>>>>> www.openlife.cc >>>>>>>> >>>>>>>> My LinkedIn profile: http://www.linkedin.com/profile/view?id=9522559 >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> [email protected] >>>>>>> +358-40-8211286 skype: henrik.ingo irc: hingo >>>>>>> www.openlife.cc >>>>>>> >>>>>>> My LinkedIn profile: http://www.linkedin.com/profile/view?id=9522559 >>>>>> >>>>> >>>>> >>>>> -- >>>>> [email protected] >>>>> +358-40-8211286 skype: henrik.ingo irc: hingo >>>>> www.openlife.cc >>>>> >>>>> My LinkedIn profile: http://www.linkedin.com/profile/view?id=9522559 >>>> >>> >>> >> >> >> _______________________________________________ >> Mailing list: https://launchpad.net/~drizzle-discuss >> Post to : [email protected] >> Unsubscribe : https://launchpad.net/~drizzle-discuss >> More help : https://help.launchpad.net/ListHelp >> > > > > -- > [email protected] > +358-40-8211286 skype: henrik.ingo irc: hingo > www.openlife.cc > > My LinkedIn profile: http://www.linkedin.com/profile/view?id=9522559 > -- [email protected] +358-40-8211286 skype: henrik.ingo irc: hingo www.openlife.cc My LinkedIn profile: http://www.linkedin.com/profile/view?id=9522559 _______________________________________________ Mailing list: https://launchpad.net/~drizzle-discuss Post to : [email protected] Unsubscribe : https://launchpad.net/~drizzle-discuss More help : https://help.launchpad.net/ListHelp
