Hi Edward Yes, your name sounded familiar I now realize it's in one of the files :-)
I think that would be helpful and very welcome. I was reading https://help.ubuntu.com/11.04/serverguide/C/openldap-server.html to get started and I can create users to the inetorgperson schema and also successfully added the drizzle.ldif to it. But it's not like I really know what I'm doing :-) I managed yesterday to hack the pandora-build script that Drizzle uses on top of Autotools so that mysql_password_hash from libdrizzle-2.0 and gentestuser.sh, drizzle.schema and drizzle.ldif are included in make install. I will make such a branch available in a few hours so you can see what it looks like. So I was thinking the manual entry should have - very short instructions to get basic openldap installed and running, with some basic schema like inetorgperson. - instructions where to find and how to install the drizzle.ldif - instructions should use gentestuser.sh and mysql_password_hash (which I have renamed to drizzle_... ) - simple login - whatever else you think is useful I'll send a link to my modified branch shortly... henrik On Tue, Oct 4, 2011 at 2:12 AM, Edward "koko" Konetzko <konet...@quixoticagony.com> wrote: > Hi guys > > I am chiming in a little late, sorry currently on vacation, would it be > helpful if you guys had a howto doc for getting ldap all setup? I probably > wouldn't be able to help out on anything till next week sometime. > > FYI I did the ldap schema part of for the auth_ldap plugin. LDAP is > extremely misunderstood and can be a little confusing at first but after you > get over the mountain of a learning curve its pretty easy :D. > > Just thought I would toss my hat in and offer a little help on the auth_ldap > part if its needed. > > Edward > > > > On 10/03/2011 01:04 PM, Henrik Ingo wrote: >> >> NP, I almost got them switched in my previous reply too :-) (But I was >> typing with baby in lap) >> >> henrik >> >> On Mon, Oct 3, 2011 at 8:33 PM, Daniel Nichter<dan...@percona.com> wrote: >>> >>> Oh no, now I'm confusing myself and everyone else. :-) Your terminology >>> was correct the first time. Let me try once more, and this time I'm going >>> to pay close attention to what I type: >>> >>> You write the pages for Authentication to cover auth_pam, and whatever >>> other auth plugins you want, and I'll write auth_schema page. >>> >>> I write the section on Authorization: simple_user_policy and >>> regex_policy. >>> >>> -Daniel >>> >>> Le 3 oct. 2011 à 10:43, Henrik Ingo a écrit : >>> >>>> :-) >>>> >>>> Confusion of terminology: To me Authentication = the thing that uses >>>> username+password and auth_pam and auth_ldap are part of that. >>>> >>>> Authorization = GRANT and REVOKE = authenticated user is allowed / not >>>> allowed to do X. >>>> >>>> But I'm happy to cover auth_pam and auth_ldap, if you cover the basic >>>> auth_schema use case. >>>> >>>> Yeah, I don't think lot of people will use ldap (or even auth_pam, >>>> given the need to use plaintext passwords), but I selected it as >>>> "marketing feature" due to Oracle/MySQL recently announcing similar >>>> proprietary feature. I think it can get some publicity, and it's a >>>> "enterprise feature", even if most users wouldn't use it. >>>> >>>> henrik >>>> >>>> On Mon, Oct 3, 2011 at 7:05 PM, Daniel Nichter<dan...@percona.com> >>>> wrote: >>>>> >>>>> The reverse: you write Authorization so you can cover whichever auth_* >>>>> plugins you want (auth_pam, etc.), and I'll write Authentication since I >>>>> have a little insight into that. Does that work? >>>>> >>>>> Also, I agree about auth_ldap: it's pretty complex and I don't think >>>>> LDAP is very common in the Unix world. Afaik, LDAP is what Windows uses >>>>> (or >>>>> did--I don't keep up with Windows). >>>>> >>>>> Le 3 oct. 2011 à 10:01, Henrik Ingo a écrit : >>>>> >>>>>> I agree with scoping of Administration. So will you also cover >>>>>> auth_ldap? >>>>>> >>>>>> FYI: I've spent today trying to get >>>>>> libdrizzle-2.0/libdrizzle/mysql_password_hash (renamed to >>>>>> drizzle_password_hash) and plugin/auth_ldap/schema/gentestusers.sh >>>>>> (renamed to drizzle_create_ldap_user) included in make install, so >>>>>> that also end users could benefit from them. I think while LDAP is a >>>>>> bit complex (and people complain about SQL!!) one good thing with >>>>>> auth_ldap is the fact you can actually use hashed passwords, and I'd >>>>>> like to make it easy for users to actually do that. >>>>>> >>>>>> I'll have to look at authorization/policy plugins, I have absolutely >>>>>> zero insight into that so far. >>>>>> >>>>>> henrik >>>>>> >>>>>> On Mon, Oct 3, 2011 at 5:56 PM, Daniel Nichter<dan...@percona.com> >>>>>> wrote: >>>>>>> >>>>>>> Henrik, >>>>>>> I was thinking that Administration entails Authentication and >>>>>>> Authorization. >>>>>>> The section on Authentication could cover (eventually) all of >>>>>>> Drizzle's >>>>>>> auth plugins and other authentication-related information like how to >>>>>>> make >>>>>>> the drizzle client work with those auth plugins by using --protocol >>>>>>> mysql-plugin-auth. And Authorization could talk about the various >>>>>>> policy >>>>>>> plugins. >>>>>>> So maybe you could write Authorization for the auth plugins you want >>>>>>> to >>>>>>> feature, and I can write Authentication? >>>>>>> As for auth_schema, I'm glad you like it. :-) I will have it ready >>>>>>> to go >>>>>>> by the end of this week and then I'll propose it for merging, It's >>>>>>> not >>>>>>> perfect yet, but I think it's useful enough. >>>>>>> -Daniel >>>>>>> Le 2 oct. 2011 à 14:39, Henrik Ingo a écrit : >>>>>>> >>>>>>> I picked ldap_auth and pam_auth for our focus areas: >>>>>>> https://blueprints.launchpad.net/drizzle/+spec/docs71-focus-areas I >>>>>>> now realize auth_schema should be included too, unless of course we >>>>>>> think it is implied by Administration. >>>>>>> >>>>>>> Basically I want to make sure that docs/index.rst in those 3 plugins >>>>>>> is usable for the average user. It seems it is mostly a question of >>>>>>> supplying a good example section in addition to the file you've >>>>>>> generated. When you say you want to document administration, do you >>>>>>> want to claim all of auth_pam/docs/index.rst for yourself? Feel free >>>>>>> to do so. I assume auth_schema is part of administration. >>>>>>> >>>>>>> I started today trying to understand ldap_auth. (And it seems to be a >>>>>>> rule that no matter how innocent things I do I end up changing >>>>>>> Makefile.am. In this case plugin/ldap_auth/ has material that is only >>>>>>> there if you work from bzr repository, so to document how to create >>>>>>> LDAP users, I first have to move a utility from noinst_PROGRAMS to >>>>>>> bin_PROGRAMS... >>>>>>> >>>>>>> From what I've learned today, auth_pam is a good authentication >>>>>>> method, except for the drawback that you end up using plaintext >>>>>>> passwords. auth_ldap actually has an advantage it is designed to >>>>>>> store >>>>>>> the MySQL hashed passwords in a custom LDAP field, however it is way >>>>>>> too complex for the average user to setup. (It mostly just makes >>>>>>> sense >>>>>>> if you already use LDAP.) >>>>>>> >>>>>>> A conclusion of the above is that I really appreciate you creating >>>>>>> auth_schema, and hope it is included in the beta because it is the >>>>>>> only alternative that is both secure and user friendly and should be >>>>>>> the default and recommended auth plugin. >>>>>>> >>>>>>> henrik >>>>>>> >>>>>>> >>>>>>> On Sun, Oct 2, 2011 at 7:34 PM, Daniel Nichter<dan...@percona.com> >>>>>>> wrote: >>>>>>> >>>>>>> Hi Henrik, >>>>>>> >>>>>>> Correct: I did not update the docs. When I update the Administration >>>>>>> docs >>>>>>> for 7.1, I will mention it. What docs are you updating where it's >>>>>>> relevant? >>>>>>> >>>>>>> -Daniel >>>>>>> >>>>>>> Le 2 oct. 2011 à 03:15, Henrik Ingo a écrit : >>>>>>> >>>>>>> Hi Daniel >>>>>>> >>>>>>> Related to your work in figuring out PAM authentication and knowing >>>>>>> >>>>>>> that you worked a little on documentation, am I correct that you >>>>>>> >>>>>>> didn't update any docs for this? I was thinking to select this as a >>>>>>> >>>>>>> focus area where we should update the docs for 7.1 release. I'm >>>>>>> >>>>>>> volunteering to do it, and the info in your blog post is already >>>>>>> >>>>>>> sufficient, just wanted to check you are not sitting on some >>>>>>> >>>>>>> documentation that I don't see yet in trunk? >>>>>>> >>>>>>> henrik >>>>>>> >>>>>>> On Fri, Sep 9, 2011 at 4:52 AM, Daniel Nichter<dan...@percona.com> >>>>>>> wrote: >>>>>>> >>>>>>> This has been resolved: >>>>>>> http://hackdrizzle.com/authenticating-with-authentication-plugins/ >>>>>>> >>>>>>> Le 9 août 2011 à 18:12, Daniel Nichter a écrit : >>>>>>> >>>>>>> I'd like to draw attention to >>>>>>> https://bugs.launchpad.net/drizzle/+bug/823637: "auth_pam and >>>>>>> auth_http do >>>>>>> not work". I think the reason is that the authentication system does >>>>>>> not >>>>>>> pass authentication plugins a plaintext password, only a >>>>>>> MySQL-scrambled >>>>>>> hash of the original plaintext password. I've verified that this is >>>>>>> problem >>>>>>> with auth_http by manually inserting a plaintext password. >>>>>>> >>>>>>> If this is the root problem, then I don't see how the authentication >>>>>>> system >>>>>>> will work because a MySQL password hash is only useful for MySQL, >>>>>>> i.e. pam >>>>>>> and curl can't use it. Can the plaintext password still be accessed? >>>>>>> >>>>>>> -Daniel >>>>>>> >>>>>>> _______________________________________________ >>>>>>> >>>>>>> Mailing list: https://launchpad.net/~drizzle-discuss >>>>>>> >>>>>>> Post to : drizzle-discuss@lists.launchpad.net >>>>>>> >>>>>>> Unsubscribe : https://launchpad.net/~drizzle-discuss >>>>>>> >>>>>>> More help : https://help.launchpad.net/ListHelp >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> >>>>>>> Mailing list: https://launchpad.net/~drizzle-discuss >>>>>>> >>>>>>> Post to : drizzle-discuss@lists.launchpad.net >>>>>>> >>>>>>> Unsubscribe : https://launchpad.net/~drizzle-discuss >>>>>>> >>>>>>> More help : https://help.launchpad.net/ListHelp >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> >>>>>>> henrik.i...@avoinelama.fi >>>>>>> >>>>>>> +358-40-8211286 skype: henrik.ingo irc: hingo >>>>>>> >>>>>>> www.openlife.cc >>>>>>> >>>>>>> My LinkedIn profile: http://www.linkedin.com/profile/view?id=9522559 >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> henrik.i...@avoinelama.fi >>>>>>> +358-40-8211286 skype: henrik.ingo irc: hingo >>>>>>> www.openlife.cc >>>>>>> >>>>>>> My LinkedIn profile: http://www.linkedin.com/profile/view?id=9522559 >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> henrik.i...@avoinelama.fi >>>>>> +358-40-8211286 skype: henrik.ingo irc: hingo >>>>>> www.openlife.cc >>>>>> >>>>>> My LinkedIn profile: http://www.linkedin.com/profile/view?id=9522559 >>>>> >>>> >>>> >>>> -- >>>> henrik.i...@avoinelama.fi >>>> +358-40-8211286 skype: henrik.ingo irc: hingo >>>> www.openlife.cc >>>> >>>> My LinkedIn profile: http://www.linkedin.com/profile/view?id=9522559 >>> >> >> > > > _______________________________________________ > Mailing list: https://launchpad.net/~drizzle-discuss > Post to : drizzle-discuss@lists.launchpad.net > Unsubscribe : https://launchpad.net/~drizzle-discuss > More help : https://help.launchpad.net/ListHelp > -- henrik.i...@avoinelama.fi +358-40-8211286 skype: henrik.ingo irc: hingo www.openlife.cc My LinkedIn profile: http://www.linkedin.com/profile/view?id=9522559 _______________________________________________ Mailing list: https://launchpad.net/~drizzle-discuss Post to : drizzle-discuss@lists.launchpad.net Unsubscribe : https://launchpad.net/~drizzle-discuss More help : https://help.launchpad.net/ListHelp
