Re: LDAP authenticaton against PAM how-to

[Howard Chu <hyc@symas.com>]

TechnoSophos wrote:
> On 2/10/07, Howard Chu <hyc@symas.com> wrote:
> > Emmanuel Dreyfus wrote:

> Howard, maybe you should look at this with a fresh set of eyes.
>
> First, this link does not directly answer either of the questions that
> Emmanuel asked. Only if one is already familiar with SASL and Kerberos
> is this going to prove useful. And even so, it doesn't give enough
> guidance to answer the larger questions, like when using this method
> is good/justified, etc.

That FAQ article states rather explicitly:
> ALSO NOTE THAT ALL OF THIS IS IN GENERAL DISCOURAGED AND SHOULD BE USED
> ONLY WHEN THE CLIENT DOES NOT SUPPORT A MORE SECURE AUTHENTICATION
> CAPABILITY,

> In my experience, this is the general issue
> with treating the FAQ like a manual: it's just a collection of
> questions and answers, and it is not particularly cohesive. In fact,
> as the admin guide gets older, it, too, is getting less cohesive.

None of this is news to anybody. This post
http://www.openldap.org/lists/openldap-software/200701/msg00401.html
is only the latest in a long history of calling for participation from the 
community, with essentially no results. If the community isn't willing to 
help itself, what else do you expect?

> Emmanuel's point is worth noting: it is very difficult to learn the
> OpenLDAP  jargon, and the official documentation (the admin guide plus
> the FAQ, plus the man pages) quite simply don't cut it. They are
> steeped through and through with LDAP technical jargon (often used
> inconsistently, like "slave","shadow," "replica," and "subordinate"
> all referring to the server receiving replication by SLURPD or
> SyncRepl).
>
> My opinion may be in the minority here, but I don't think that a
> prerequisite to running OpenLDAP ought to be the thorough and careful
> reading of the whole bundle of LDAP RFCs. But that's the only method
> I've found of getting a good picture as to what is really (supposed to
> be) going on.

Disregarding your comments about the OpenLDAP documentation, which is already 
acknowledged multiple times over, I find your point ridiculous. You cannot 
run an Apache web server without knowing what "http" means and what URLs are, 
what CGI means, what MIME types are, etc. Any specialized software is 
necessarily accompanied by jargon and the use of that jargon is unavoidable.

In terms of pre-requisites, yes, I do believe that you must be familiar with 
LDAP fundamentals before attempting to use OpenLDAP. Whether you get those 
fundamentals from reading the RFCs or from reading something like Tim Howes' 
book, you do need to have that knowledge, and it is not something we 
currently provide. I recognize the fact that there's a gap here; Tim's book 
is very dated so the current RFCs are probably the only choice.

Just bear in mind - the Project moves in the directions that its most active 
members take it. Historically the Project has been about providing an LDAP 
suite for people who already knew LDAP and knew what they needed it to do for 
them. It has not been about teaching the basics of how LDAP works to people 
who have never heard of LDAP before. If you (the community) want the Project 
to spend energy moving in that direction, then someone has to step up and 
become an active member of the team to make it happen.

> > Your failure to find answers doesn't prove that they don't exist. 
> > (Obviously
> > - it's impossible to prove nonexistence of a thing.) If you had asked 
> > first,
> > someone might have pointed you in the right direction and saved you a 
> > lot of
> > effort.
>
> I would wager, based on a few years of time on this list, that what
> one WOULD get should one ask such a question is "RTFM," perhaps
> sprinkled with comments about "newbie mistakes" and how people have
> the mistaken impression that skim reading documentation will answer
> all their questions.

You would have already lost that bet.
http://www.openldap.org/lists/openldap-software/200702/msg00127.html
The first response to the original thread is a request for clarification, to 
find out why the poster was trying to go down this route:

> What distributed authentication system do you use that is supported by
> pam but is not supported directly by LDAP or SASL?

Whenever I see a post that is asking for something that doesn't make sense, I 
ask for more context and more clarification.

Yes, some people on this list have a tendency to post answers without taking 
the time to understand the original question. There's not much we can do 
about that; the fact that they're even willing to try to help is already 
sometimes more than can be expected.

And yes, people *do* have a tendency to skim the documentation, thus missing 
the answer that was already staring them in the face.
http://www.openldap.org/lists/openldap-software/200702/msg00121.html
Your criticism of that point is completely baseless.

> Besides, Emmanuel did his best in attempting to actually remedy the
> situation by providing some information in an organized form. He
> didn't get it all right, but instead of getting helpful feedback, he
> is getting flamed! Most of his questions go unanswered, though he's
> getting "RTFM" comments and the like.

I think characterizing the responses as flames is unwarranted.

> Starting with the first response, little positive information was
> given (aside from "that's deprecated"). Shouldn't some sort of
> alternative be outlined? (Granted, Tonni did give a positive
> suggestion.)

Little positive information was provided in the first response because the 
initial post didn't provide enough context from which to formulate an answer.

> Look, the bottom line is that the documentation could get better. When
> people who are willing to *try* to improve it do so, it would be nice
> if we could actually facilitate that improvement instead of thwarting
> it.

As you've already noted, there's plenty of documentation all over the web 
written by people "trying to improve things" that is clearly wrong. If you're 
going to try to document something, the right way is not to sit in a vacuum 
tinkering and coming out to the world and saying "after zillions of hours 
banging my head against the wall, this is what I came up with."

The right way is starting a dialogue, asking questions where you're uncertain 
about a point, until you arrive at a correct answer. The channels for that 
dialogue are wide open.

> The solution, I would assert, doesn't require much more than a change
> of attitude (or at least a change of mode of expression). OpenLDAP has
> a steep learning curve, and people who document it as they learn it
> may indeed be the best contributors to documentation because they
> still know what sort of thing trips up the newcomer.

Keeping a log of the steps you took to get where you are is of course a good 
practice. But asking for help before you take a series of questionable steps, 
instead of after you've already taken them, is a better practice.

OpenLDAP does not have a steep learning curve. Just for example, a few people 
came up to me after my SCALE talk to say how brain-dead easy it was to get 
OpenLDAP up and running after struggling unsuccessfully with other servers.

Using OpenLDAP requires that you know LDAP, and if you don't have that 
knowledge, then yes, there's a steep learning curve. But that curve is there 
no matter whose LDAP software you use.
--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  Chief Architect, OpenLDAP     http://www.openldap.org/project/