On Sun, 2007-11-11 at 13:35 +0000, Timothy Murphy wrote:
> I got into a terrible mess yesterday,
> when I ran authconfig.gtk on my desktop,
> checking the ldap checkbox.
>
> This was one step in the saga of configuring openldap -
> possibly the worst-documented program in the history of computing.
> I actually have openldap working, but was trying to butter the cake
> by installing phpLDAPadmin .
> This again seemed to be working, but whatever I tried
> I got an authentication error.
> Hence the disastrous idea of running authconfig,
> which made the desktop seize up, and fail to re-boot,
> hanging at "Starting system message bus".
> I won't go into the subsequent torture,
> but it ended when I used Knoppix
> to delete all mention of ldap in /etc/nsswitch.conf .
>
> This led me to ponder authentication in Fedora.
> Is it really the complete shambles it seems to me to be?
> Are there several rival authentication methods:
> SASL, SSL, TLS, etc?
> How does one tell which to use?
> Is all this documented anywhere?
> I seem to have *.pem files all over the place.
> And how does all this fit in with /etc/pam.d/ ?
> And what does /etc/nsswitch.conf have to do with it?
>
> Is authentication under Fedora utterly confusing,
> or have I got hold of the wrong end of the stick?
----
1 - Your attitude is way off
2 - When LDAP protocol was originally, conceived, it had
absolutely nothing to do with user authentication...check
the historical usage for ldap.
3 - There is absolutely no single method to use LDAP for
authentication - it's always left to the end users to
design and implement. That's why ever different author
has a different take on how to do things.
4 - Implementing access points into various daemons/services
is clearly an exercise left up to the administrator...there
simply is no one way to do these things.
5 - OpenLDAP manuals assume a very high level of
administrator knowledge.
6 - You haven't even figured out what is authentication and
what is encryption...you probably need to do that.
- SSL = Encryption
- TLS = Encryption
- SASL = Encryption though to be fair, SASLAuthd is an
authentication system for sasl
7 - starting system message bus hang is well understood and
has nothing to do with anything else...to fix, add the
following lines to /etc/ldap.conf
timelimit 30
bind_timelimit 30
bind_policy soft
nss_initgroups_ignoreusers root,ldap
too bad that authconfig doesn't do this for you.
8 - I could not have made it more clear and my suggestion was
even seconded...if you want to learn about ldap - buy the
Gerald Carter book LDAP System Administration.
9 - It is not LDAP authentication under fedora...it is LDAP
authentication that is confusing. User authentication is
but one potential use for LDAP.
Craig
