[WBEL-users] A story of Authentication, and a few questions

bishop bishop@platypus.bc.ca
Thu, 30 Sep 2004 15:11:00 -0700 

Dear list,

It's not entirely within the scope of this list, but I'm hoping it'll be 
acceptable given that E is for Enterprise and this is an 
Enterprise-based question.  It's my best hope.

Based on what I've read, Hesiod should be able to adequately replicate 
UIDs far and wide in an awesome and simple manner.  Unfortunately, along 
with the Greek Theologian and Poet comes a snarling beast of a 
three-headed dog of an authentication service that bites friend or foe 
coming into the yard if its leash is ever cut.  In our increasingly 
imperfect i-world where the BackHoe is the new Shiva, digitally 
worshipped and feared as the destroyer of the Internet, having such a 
nasty dog biting the users during a network outage is just no fun.

So, we're down to a heavy process of a potentially overloaded and/or 
misunderstood protocol, probably sarcastically nicknamed 'lightweight'. 
  So off I go, using the redhat auth config tool on my WBEL tester box 
('golem').  It seemed to go very well, modding the pam and nsswitch bits 
along expected themes, and seemed to do its job quite happily.

	Question1:  the auth problem seen in RH9 with
	an absent LDAP server seems to have been solved.
	Agree?

	Caveat:  I freely admit to misunderstanding LDAP.
	In fact, if you phone me, that's my voicemail
	greeting.

The interesting part is, netstat told me a story that didn't include a 
running LDAP server, a bit surprising.  Of course, nothing in chkconfig, 
because openldap-servers wasn't installed.  Mystery solved, then.

	Incidentally, apt-get bails here because of the
	redundant file dependency of the conversion script

> Resolving dependencies
> ...Segmentation fault
> [root@golem root]# !!
> yum install openldap-servers
> 
> Unable to find pid
> Gathering header information file(s) from server(s)

So I fumbled with Yum, as it (downloaded the freaking library of 
congress, segfaulted, downloaded MORE/other new stuff when I reran it, 
and then, finally) installed openldap-servers.

	Newbie Question2:  is that normal, for it to download a
	whack of stuff and then, when rerun with !!, download
	MORE stuff?  What the heck else could it need now that
	it didn't need a moment ago?  And is header list actually
	longer than the list of charges at nurnberg?

> Resolving dependencies
> Dependencies resolved
> I will do the following:
> [install: openldap-servers 2.0.27-17.i386]

Okay.  So it looks like it's done.

Questions;  answer what ya like:
  3 anyone seen the random death of yum like that?
  4 hands up who thinks I need to re-run redhat-auth-config again.
  5 I'm thinking I'll need to set up replication to get any useful
    reliability in this auth scheme the next time the whim of the
    backhoe cuts me off.  Agree?
  6 How easy/versatile is the CNAME-ish search referral in LDAP?
    Easy as it should be?

Anyway, whatever questions you can answer, dear reader, would be 
appreciated.  By the time you read this, question #4 may be already 
dead.  I prefer private responses, too, and intend to post a summary to 
the list when the dust clears, if there's any responses.

Thanks for your patience.

--
  - bish