Authentication nightmare under Fedora 7

Timothy Murphy tim at birdsnest.maths.tcd.ie
Mon Nov 12 21:55:04 UTC 2007 

Craig White wrote:

>> This led me to ponder authentication in Fedora.
>> Is it really the complete shambles it seems to me to be?
>> Are there several rival authentication methods:
>> SASL, SSL, TLS, etc?
>> How does one tell which to use?
>> Is all this documented anywhere?
>> I seem to have *.pem files all over the place.
>> And how does all this fit in with /etc/pam.d/ ?
>> And what does /etc/nsswitch.conf have to do with it?
>> 
>> Is authentication under Fedora utterly confusing,
>> or have I got hold of the wrong end of the stick?
> ----
> 1 - Your attitude is way off

Well, thanks for responding anyway.
I must say your reply tends to confirm that authentication in Fedora
(possibly in Linux generally) is confusing,
not because your answer is not clear, I hasten to add,
but because there seem several methods available,
and it is not at all clear in some cases - 
certainly in the case of openldap - which one you are meant to use.

I think my attitude was fairly understandable,
given that I spent two hours starting at my desktop
(which I don't normally go near)
after giving what seemed the harmless command "authconfig.gtk".
I couldn't believe that this command could have the disastrous effect 
it did, with the system slowly dying bit-by-bit
until it finally stopped altogether.
 
> 2 - When LDAP protocol was originally, conceived, it had
>     absolutely nothing to do with user authentication...check
>     the historical usage for ldap.

With respect, I've read a few documents on the history of ldap,
and not found them at all helpful for my purpose,
which is the not very grandiose task
of setting up a system-wide address book on my home LAN.
I'm actually using my web-server, so it is fairly important,
I think, to use some kind of authentication.

> 3 - There is absolutely no single method to use LDAP for
>     authentication - it's always left to the end users to
>     design and implement. That's why ever different author
>     has a different take on how to do things.

This is probably the cause of my suffering.
I looked at 3 or 4 documents on openldap,
and as you say they seemed to be using different authentication methods.
Actually, some of them seemed to suggest that the user (ie me)
would know what to do, which is certainly not true in my case.

> 4 - Implementing access points into various daemons/services
>     is clearly an exercise left up to the administrator...there
>     simply is no one way to do these things.

But they (or you) could still tell me one way,
and just mention that there are alternatives.

> 5 - OpenLDAP manuals assume a very high level of
>     administrator knowledge.

I'm not sure what you mean by administrator knowledge.
I think of myself as reasonably adept at administration
(I've certainly been doing it for a long time)
and haven't really met anything like the same degree of confusion
with authentication that I find with openldap.

> 6 - You haven't even figured out what is authentication and
>     what is encryption...you probably need to do that.
>     - SSL = Encryption
>     - TLS = Encryption
>     - SASL = Encryption though to be fair, SASLAuthd is an
>       authentication system for sasl

I must confess I'm not clear of the distinction.
I would have thought encryption and authentication
were inextricably linked.
Presumably if one machine or program uses encryption
it has to pass the data necessary for decryption
to any other machine or program needing the encrypted information,
and the passage of this data is the principal task of authentication,
I would have thought.

> 7 - starting system message bus hang is well understood and
>     has nothing to do with anything else...to fix, add the
>     following lines to /etc/ldap.conf

Thanks very much - I did indeed deduce after some time
that the problem lay with the message bus,
and in fact my temporary solution was to stop the messagebus service.
However, this certainly was not well understood by me.

>     timelimit 30
>     bind_timelimit 30
>     bind_policy soft
>     nss_initgroups_ignoreusers root,ldap

I shall indeed add these lines. 
 
>     too bad that authconfig doesn't do this for you.

> 8 - I could not have made it more clear and my suggestion was
>     even seconded...if you want to learn about ldap - buy the
>     Gerald Carter book LDAP System Administration.

Well, I'll certainly think about it;
but my need for ldap is very limited, as I said,
and it would not be high on my list of subjects I want to study in depth.

> 9 - It is not LDAP authentication under fedora...it is LDAP
>     authentication that is confusing. User authentication is
>     but one potential use for LDAP.

I believe you.

Just as a postscript I might add that I have been driven to openldap
as a solution to the address book problem
after looking at vcard/jabber and mysql,
which I would actually prefer to use if there was a reasonably simple
and standard way of doing this.

I like that idea that vcard can be used to pass address book entries
to and from mobile phones.

If any has any advice or suggestion on this topic
I would be very interested and grateful.

More information about the users mailing list