[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP authenticaton against PAM how-to



TechnoSophos wrote:
On 2/10/07, Howard Chu <hyc@symas.com> wrote:
Emmanuel Dreyfus wrote:

Howard, maybe you should look at this with a fresh set of eyes.

First, this link does not directly answer either of the questions that
Emmanuel asked. Only if one is already familiar with SASL and Kerberos
is this going to prove useful. And even so, it doesn't give enough
guidance to answer the larger questions, like when using this method
is good/justified, etc.

That FAQ article states rather explicitly: > ALSO NOTE THAT ALL OF THIS IS IN GENERAL DISCOURAGED AND SHOULD BE USED > ONLY WHEN THE CLIENT DOES NOT SUPPORT A MORE SECURE AUTHENTICATION > CAPABILITY,

In my experience, this is the general issue
with treating the FAQ like a manual: it's just a collection of
questions and answers, and it is not particularly cohesive. In fact,
as the admin guide gets older, it, too, is getting less cohesive.

None of this is news to anybody. This post
http://www.openldap.org/lists/openldap-software/200701/msg00401.html
is only the latest in a long history of calling for participation from the community, with essentially no results. If the community isn't willing to help itself, what else do you expect?


Emmanuel's point is worth noting: it is very difficult to learn the
OpenLDAP  jargon, and the official documentation (the admin guide plus
the FAQ, plus the man pages) quite simply don't cut it. They are
steeped through and through with LDAP technical jargon (often used
inconsistently, like "slave","shadow," "replica," and "subordinate"
all referring to the server receiving replication by SLURPD or
SyncRepl).

My opinion may be in the minority here, but I don't think that a
prerequisite to running OpenLDAP ought to be the thorough and careful
reading of the whole bundle of LDAP RFCs. But that's the only method
I've found of getting a good picture as to what is really (supposed to
be) going on.

Disregarding your comments about the OpenLDAP documentation, which is already acknowledged multiple times over, I find your point ridiculous. You cannot run an Apache web server without knowing what "http" means and what URLs are, what CGI means, what MIME types are, etc. Any specialized software is necessarily accompanied by jargon and the use of that jargon is unavoidable.


In terms of pre-requisites, yes, I do believe that you must be familiar with LDAP fundamentals before attempting to use OpenLDAP. Whether you get those fundamentals from reading the RFCs or from reading something like Tim Howes' book, you do need to have that knowledge, and it is not something we currently provide. I recognize the fact that there's a gap here; Tim's book is very dated so the current RFCs are probably the only choice.

Just bear in mind - the Project moves in the directions that its most active members take it. Historically the Project has been about providing an LDAP suite for people who already knew LDAP and knew what they needed it to do for them. It has not been about teaching the basics of how LDAP works to people who have never heard of LDAP before. If you (the community) want the Project to spend energy moving in that direction, then someone has to step up and become an active member of the team to make it happen.

Your failure to find answers doesn't prove that they don't exist. (Obviously
- it's impossible to prove nonexistence of a thing.) If you had asked first,
someone might have pointed you in the right direction and saved you a lot of
effort.

I would wager, based on a few years of time on this list, that what one WOULD get should one ask such a question is "RTFM," perhaps sprinkled with comments about "newbie mistakes" and how people have the mistaken impression that skim reading documentation will answer all their questions.

You would have already lost that bet.
http://www.openldap.org/lists/openldap-software/200702/msg00127.html
The first response to the original thread is a request for clarification, to find out why the poster was trying to go down this route:


> What distributed authentication system do you use that is supported by
> pam but is not supported directly by LDAP or SASL?

Whenever I see a post that is asking for something that doesn't make sense, I ask for more context and more clarification.

Yes, some people on this list have a tendency to post answers without taking the time to understand the original question. There's not much we can do about that; the fact that they're even willing to try to help is already sometimes more than can be expected.

And yes, people *do* have a tendency to skim the documentation, thus missing the answer that was already staring them in the face.
http://www.openldap.org/lists/openldap-software/200702/msg00121.html
Your criticism of that point is completely baseless.


Besides, Emmanuel did his best in attempting to actually remedy the
situation by providing some information in an organized form. He
didn't get it all right, but instead of getting helpful feedback, he
is getting flamed! Most of his questions go unanswered, though he's
getting "RTFM" comments and the like.

I think characterizing the responses as flames is unwarranted.

Starting with the first response, little positive information was
given (aside from "that's deprecated"). Shouldn't some sort of
alternative be outlined? (Granted, Tonni did give a positive
suggestion.)

Little positive information was provided in the first response because the initial post didn't provide enough context from which to formulate an answer.


Look, the bottom line is that the documentation could get better. When
people who are willing to *try* to improve it do so, it would be nice
if we could actually facilitate that improvement instead of thwarting
it.

As you've already noted, there's plenty of documentation all over the web written by people "trying to improve things" that is clearly wrong. If you're going to try to document something, the right way is not to sit in a vacuum tinkering and coming out to the world and saying "after zillions of hours banging my head against the wall, this is what I came up with."


The right way is starting a dialogue, asking questions where you're uncertain about a point, until you arrive at a correct answer. The channels for that dialogue are wide open.

The solution, I would assert, doesn't require much more than a change
of attitude (or at least a change of mode of expression). OpenLDAP has
a steep learning curve, and people who document it as they learn it
may indeed be the best contributors to documentation because they
still know what sort of thing trips up the newcomer.

Keeping a log of the steps you took to get where you are is of course a good practice. But asking for help before you take a series of questionable steps, instead of after you've already taken them, is a better practice.


OpenLDAP does not have a steep learning curve. Just for example, a few people came up to me after my SCALE talk to say how brain-dead easy it was to get OpenLDAP up and running after struggling unsuccessfully with other servers.

Using OpenLDAP requires that you know LDAP, and if you don't have that knowledge, then yes, there's a steep learning curve. But that curve is there no matter whose LDAP software you use.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
Chief Architect, OpenLDAP http://www.openldap.org/project/