[TriLUG] It times like these that I wish TriLUG had an RH Update server

Tanner Lovelace lovelace at wayfarer.org
Thu Aug 1 11:06:57 EDT 2002 

On Wed, 2002-07-31 at 18:28, Thunder Bear wrote:
> Unfortunately we've been a bit behind on letting the membership know 
> what is going on.

Sorry about that.  Let's see if I can do any better here.
 
> Tanner can probably best explain what he's been trying to accomplish on 
> his end, which is the real backbone of all of the other services we'd 
> like to provide.  We're talking about a secure single sign-on solution 
> so one account will get you into everything TriLUG provides.  That, my 
> friends, is the bottleneck.  I don't know if Tanner needs help with that 
> but if you are a guru in SASL/LDAP/Kerberos you might want to join the 
> sys at trilug.org mailing list and offer a hand.
> 
> Once that is in place we can pretty rapidly get the mail services up and 
> running.  So mail itself is not being a pain.  It's the single sign on 
> mess.

Okay, to start with, I've put up a web page that briefly says what's
going on. http://www.trilug.org/~lovelace/resources/  Take a look at
that and let me know if you have any questions.

Secondly, if anyone here has successfully setup a) Kerberos version 5,
b) LDAP as a replacement for NIS, and/or c) Cyrus SASL using either
Kerberos or LDAP as the authentication method, I'd like to hear from 
you.

Thirdly, let me explain a bit what we're trying to do, and why
it's taking so long.

When Jon originally asked me to setup the imap server, I was asked
to setup the Cyrus Imap server.  Cyrus allows you to divorce the
Imap user accounts from the shell user accounts on that machine.
I still think this is a good idea.  Unfortunately, it means you
can't use the "normal" unix account/authentication procedures
and instead you have to learn an entirely new system.  Cyrus
uses something called SASL (Simple Authentication and Security Layer),
which, unfortunately, is not at all simple. SASL allows you to 
plug-in different types of authentication.  I did originally
got the imap server setup using the very basic sasldb account/auth
mechanism, but the reason I didn't do anything beyond that was that
it was completely unmaintainable.  For one, there was absolutely
no way for a regular user to change their password.  The system
administrator would have had to change everyone's password!  Two,
the passwords were stored in cleartext on the server.  While I
think our security is good, I felt the risk, in case of compromise,
was just too great for that to be a viable solution.  So, I looked
for something else.  Like I said, SASL will let you use different
authentication mechanisms, so I decided to use LDAP, with the passwords
being stored in kerberos.  This would also allow us to convert the
shell passwords on fatalpha to use ldap too, and allow us to 
add other service in the future using the same thing.  In addition,
people could change their own passwords (by loging into fatalpha,
which btw, can now be accessed as login.trilug.org) and it wouldn't
overwhelm the system administrator.  So, I found a very good howto
on how to install kerberos and ldap
(http://www.ofb.net/~jheiss/krbldap/) and started work.  Unfortunately,
I was hindered by the fact that, because the kerberos/ldap servers
we were using were alphas, I need to compile most of the software
myself.  (Yes, the alphas, except for fatalpha, are running redhat 7.2,
but I need some later versions of the software.)  Since fatalpha
was running an earlier version of redhat, that meant I had to actually
compile on the other, extremely slower alphas.  This basically meant
that I had to start a compile, which would then go pretty much
4-6 hours during the night, and hope that it worked and didn't bomb.
But, I eventually got kerberos compiled and installed and working.
This was sometime in June. I then switched to ldap and got it compiled
and installed, but when I went to run it, it would bomb on something
to do with berkeley db.  At that point, I left on a couple of 
different vacations, and when I got back, I had been given a machine
from the Center for the Public Domain for the rack.  We had decided
to use that machine as the ftp server, and because it was physically
sitting in my house, and I don't have that much room because we're
trying to cleanup in anticipation of selling our house, I switched
to working on that machine instead.  (Unfortunately, there 
seems to be something not quite matching up with our scsi cards and 
drives, but that's a different story).

So, that's where things stand right now.  Jeremy, Chris and I are
getting together this Friday evening with both the CPD server and
another server that Chris acquired for us ( that was donated by
someone else, I don't remember who, sorry).  We're going to 
see if we, as a small group, but more than one, can quickly
setup 1) kerberos/ldap authentication, 2) the ftp server, 3) the
mail server.  It is possible that we might move the mail server
over to the machine Chris has.  Although I disagree with Chris's
assertions that stonesoup is "crap" (I think it's quite stable, myself.)
the machine Chris has is a more powerful machine and will probably
work better over the long run as we expand (i.e. it's a dual processor
with lots of memory).  I've heard from some people that they
think that the SC is just getting together in secret to do things
without any help/input from the membership.  That couldn't be 
further from the truth.  The reason no one else was invited were
1) Chris has an infant daughter, and more people would make it 
very hard for her to get to bed. 2) Sometimes more people doesn't
actually help.  A smaller group can generally work better than
a larger one (reference The Mythical Man-Month).  As far as
not keeping the membership informed, I must plead guilty. 
Unfortunately, I tend to have the inclination to not talk about
things until I can actually have something to show.  Since I haven't
had anything much to "show" to the membership, I haven't been
saying anything.  I apologize if that has confused/angered anyone.
I'll try to do better in the future.  However, if you want to
know anything, please feel free to e-mail and ask.

One other thing I think needs to be said is this.  Because of
what we're trying to do right now, I really don't want to commit
to doing anything else until we can show some progress on what
we're trying to do.  So, while I think it would be a good idea
to have a current server, I can't commit to helping with it at
this time.  If, however, someone wants to setup a machine as
a current server, I would be happy to take it to the trilug 
rack and plug it in (and add the appropriate dns entries).  Any
more than that, however, I'm going to have to say no.  Not because
there's anything wrong with a particular proposal, but just
because I don't want to overcommit myself.

So, that's that state of things in a nutshell.  Thoughts?
Questions?

Tanner Lovelace
TriLUG System Administrator
-- 
Tanner Lovelace | lovelace at wayfarer.org | http://wtl.wayfarer.org/
--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--
GPG Fingerprint = A66C 8660 924F 5F8C 71DA  BDD0 CE09 4F8E DE76 39D4
GPG Key can be found at http://wtl.wayfarer.org/lovelace.gpg.asc
--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--
          Si hoc legere scis, nimium eruditionis habes.

More information about the TriLUG mailing list