[WBEL-users] A story of Authentication, and a few questions
bishop
bishop@platypus.bc.ca
Thu, 30 Sep 2004 15:11:00 -0700
Dear list,
It's not entirely within the scope of this list, but I'm hoping it'll be
acceptable given that E is for Enterprise and this is an
Enterprise-based question. It's my best hope.
Based on what I've read, Hesiod should be able to adequately replicate
UIDs far and wide in an awesome and simple manner. Unfortunately, along
with the Greek Theologian and Poet comes a snarling beast of a
three-headed dog of an authentication service that bites friend or foe
coming into the yard if its leash is ever cut. In our increasingly
imperfect i-world where the BackHoe is the new Shiva, digitally
worshipped and feared as the destroyer of the Internet, having such a
nasty dog biting the users during a network outage is just no fun.
So, we're down to a heavy process of a potentially overloaded and/or
misunderstood protocol, probably sarcastically nicknamed 'lightweight'.
So off I go, using the redhat auth config tool on my WBEL tester box
('golem'). It seemed to go very well, modding the pam and nsswitch bits
along expected themes, and seemed to do its job quite happily.
Question1: the auth problem seen in RH9 with
an absent LDAP server seems to have been solved.
Agree?
Caveat: I freely admit to misunderstanding LDAP.
In fact, if you phone me, that's my voicemail
greeting.
The interesting part is, netstat told me a story that didn't include a
running LDAP server, a bit surprising. Of course, nothing in chkconfig,
because openldap-servers wasn't installed. Mystery solved, then.
Incidentally, apt-get bails here because of the
redundant file dependency of the conversion script
> Resolving dependencies
> ...Segmentation fault
> [root@golem root]# !!
> yum install openldap-servers
>
> Unable to find pid
> Gathering header information file(s) from server(s)
So I fumbled with Yum, as it (downloaded the freaking library of
congress, segfaulted, downloaded MORE/other new stuff when I reran it,
and then, finally) installed openldap-servers.
Newbie Question2: is that normal, for it to download a
whack of stuff and then, when rerun with !!, download
MORE stuff? What the heck else could it need now that
it didn't need a moment ago? And is header list actually
longer than the list of charges at nurnberg?
> Resolving dependencies
> Dependencies resolved
> I will do the following:
> [install: openldap-servers 2.0.27-17.i386]
Okay. So it looks like it's done.
Questions; answer what ya like:
3 anyone seen the random death of yum like that?
4 hands up who thinks I need to re-run redhat-auth-config again.
5 I'm thinking I'll need to set up replication to get any useful
reliability in this auth scheme the next time the whim of the
backhoe cuts me off. Agree?
6 How easy/versatile is the CNAME-ish search referral in LDAP?
Easy as it should be?
Anyway, whatever questions you can answer, dear reader, would be
appreciated. By the time you read this, question #4 may be already
dead. I prefer private responses, too, and intend to post a summary to
the list when the dust clears, if there's any responses.
Thanks for your patience.
--
- bish