[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5207) Password checking: external program

<quote who="Hadmut Danisch">
> Gavin Henry wrote:
>> I don't read that as rude, merely advice. Don't take it personally please.
> I do. His point was not to understand or answer my question. His point
was to allege that I would not know what I am talking about and would
not have understood the basic principles of LDAP just because my wording
differed slightly from his expectations.

The problem with e-mail is that a persons tone can't be portrayed.

> It was a personal attack and I take it as such. I don't care about, but
I notice that the guys behind openldap tend to rather attack people
personally than answering security relevant questions and that they

None of our team do this. We all have limited time and do our best to
reply to users questions or ITS reports. But you must understand, 99% of
questions asked have been asked before with the answers being available in
the mailing archives.

9 times out of 10 a user hasn't read any of our docs, so we politely ask,
"have you read any of the docs?", that's not "have you *read* any of the
docs?" implying an insult.

So if we come across as attacking people, then I believe that this is an
interpretation of the reader.

> expect everyone to know what's not in the docs but hidden somewhere in
some strange FAQ machine.

Not really strange, pretty standard at the time and still used in many OSS

I've actually ported most of the relevant parts of our FAQ-O-Matic to the
2.4 Admin Guide, at present over 80 new pages of content over a 6-7 month
period of unpaid commitment. So when I ask, as the OpenLDAP Project
Documention Leader, have you read any of the docs, I think I'm entitled to
put that question to a user. That's not being rude.

> Beyond the fact that this is not worth of further dispute, from my point
of view this way of dealing with questions and handling authentication
details disqualifies as software engineers for security relevant

I disagree. Nothing in this thread can back up your claim here.

> Just for your information: I read the specs when they were issued as
X.500 and X.509 in the CCITT Blue Book. But I am not rereading specs
every day, LDAP is just a small detail of my daily work.


>> OpenLDAP supports SASL, SASL does have it's own documentation. Did you
try to read any of that?
> Again, this offending way to assume that anyone who does not have
exactly your point of view could not have read the specs. "try to read"
is offensive.

Maybe I should have asked, "Did you browse the SASL docs?", "Or did you
take a quick look over at the SASL documentation?". They all mean the same
thing, with no offence intended.

It's all in how the reader sees it.


> So before blaming me for not reading and understanding specs, tell me,
where exactly this is specified.
> Do those particular specs you're blaming me for not having read at all

I don't know, I'm not a SASL expert. Maybe one of the Core team can answer

If you do find the answer or implement something to solve your feature
request, documentation patches are always welcome. We are an Open Source
Community after all.