[Date Prev][Date Next]
Re: LDAP authenticaton against PAM how-to
On 2/10/07, Howard Chu <firstname.lastname@example.org> wrote:
Emmanuel Dreyfus wrote:
Howard, maybe you should look at this with a fresh set of eyes.
First, this link does not directly answer either of the questions that
Emmanuel asked. Only if one is already familiar with SASL and Kerberos
is this going to prove useful. And even so, it doesn't give enough
guidance to answer the larger questions, like when using this method
is good/justified, etc.
That FAQ article states rather explicitly:
> ALSO NOTE THAT ALL OF THIS IS IN GENERAL DISCOURAGED AND SHOULD BE USED
> ONLY WHEN THE CLIENT DOES NOT SUPPORT A MORE SECURE AUTHENTICATION
In my experience, this is the general issue
with treating the FAQ like a manual: it's just a collection of
questions and answers, and it is not particularly cohesive. In fact,
as the admin guide gets older, it, too, is getting less cohesive.
None of this is news to anybody. This post
is only the latest in a long history of calling for participation from the
community, with essentially no results. If the community isn't willing to
help itself, what else do you expect?
Emmanuel's point is worth noting: it is very difficult to learn the
OpenLDAP jargon, and the official documentation (the admin guide plus
the FAQ, plus the man pages) quite simply don't cut it. They are
steeped through and through with LDAP technical jargon (often used
inconsistently, like "slave","shadow," "replica," and "subordinate"
all referring to the server receiving replication by SLURPD or
My opinion may be in the minority here, but I don't think that a
prerequisite to running OpenLDAP ought to be the thorough and careful
reading of the whole bundle of LDAP RFCs. But that's the only method
I've found of getting a good picture as to what is really (supposed to
be) going on.
Disregarding your comments about the OpenLDAP documentation, which is already
acknowledged multiple times over, I find your point ridiculous. You cannot
run an Apache web server without knowing what "http" means and what URLs are,
what CGI means, what MIME types are, etc. Any specialized software is
necessarily accompanied by jargon and the use of that jargon is unavoidable.
In terms of pre-requisites, yes, I do believe that you must be familiar with
LDAP fundamentals before attempting to use OpenLDAP. Whether you get those
fundamentals from reading the RFCs or from reading something like Tim Howes'
book, you do need to have that knowledge, and it is not something we
currently provide. I recognize the fact that there's a gap here; Tim's book
is very dated so the current RFCs are probably the only choice.
Just bear in mind - the Project moves in the directions that its most active
members take it. Historically the Project has been about providing an LDAP
suite for people who already knew LDAP and knew what they needed it to do for
them. It has not been about teaching the basics of how LDAP works to people
who have never heard of LDAP before. If you (the community) want the Project
to spend energy moving in that direction, then someone has to step up and
become an active member of the team to make it happen.
Your failure to find answers doesn't prove that they don't exist.
- it's impossible to prove nonexistence of a thing.) If you had asked
someone might have pointed you in the right direction and saved you a
I would wager, based on a few years of time on this list, that what
one WOULD get should one ask such a question is "RTFM," perhaps
sprinkled with comments about "newbie mistakes" and how people have
the mistaken impression that skim reading documentation will answer
all their questions.
You would have already lost that bet.
The first response to the original thread is a request for clarification, to
find out why the poster was trying to go down this route:
> What distributed authentication system do you use that is supported by
> pam but is not supported directly by LDAP or SASL?
Whenever I see a post that is asking for something that doesn't make sense, I
ask for more context and more clarification.
Yes, some people on this list have a tendency to post answers without taking
the time to understand the original question. There's not much we can do
about that; the fact that they're even willing to try to help is already
sometimes more than can be expected.
And yes, people *do* have a tendency to skim the documentation, thus missing
the answer that was already staring them in the face.
Your criticism of that point is completely baseless.
Besides, Emmanuel did his best in attempting to actually remedy the
situation by providing some information in an organized form. He
didn't get it all right, but instead of getting helpful feedback, he
is getting flamed! Most of his questions go unanswered, though he's
getting "RTFM" comments and the like.
I think characterizing the responses as flames is unwarranted.
Starting with the first response, little positive information was
given (aside from "that's deprecated"). Shouldn't some sort of
alternative be outlined? (Granted, Tonni did give a positive
Little positive information was provided in the first response because the
initial post didn't provide enough context from which to formulate an answer.
Look, the bottom line is that the documentation could get better. When
people who are willing to *try* to improve it do so, it would be nice
if we could actually facilitate that improvement instead of thwarting
As you've already noted, there's plenty of documentation all over the web
written by people "trying to improve things" that is clearly wrong. If you're
going to try to document something, the right way is not to sit in a vacuum
tinkering and coming out to the world and saying "after zillions of hours
banging my head against the wall, this is what I came up with."
The right way is starting a dialogue, asking questions where you're uncertain
about a point, until you arrive at a correct answer. The channels for that
dialogue are wide open.
The solution, I would assert, doesn't require much more than a change
of attitude (or at least a change of mode of expression). OpenLDAP has
a steep learning curve, and people who document it as they learn it
may indeed be the best contributors to documentation because they
still know what sort of thing trips up the newcomer.
Keeping a log of the steps you took to get where you are is of course a good
practice. But asking for help before you take a series of questionable steps,
instead of after you've already taken them, is a better practice.
OpenLDAP does not have a steep learning curve. Just for example, a few people
came up to me after my SCALE talk to say how brain-dead easy it was to get
OpenLDAP up and running after struggling unsuccessfully with other servers.
Using OpenLDAP requires that you know LDAP, and if you don't have that
knowledge, then yes, there's a steep learning curve. But that curve is there
no matter whose LDAP software you use.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
Chief Architect, OpenLDAP http://www.openldap.org/project/