Bug 758151

Summary: chapter 7: No information of cyrus-sasl packages requirement for particular authentication methods
Product: Red Hat Enterprise MRG Reporter: Zdenek Kraus <zkraus>
Component: Messaging_Installation_and_Configuration_GuideAssignee: Tim Hildred <thildred>
Status: CLOSED CURRENTRELEASE QA Contact: Zdenek Kraus <zkraus>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: DevelopmentCC: chetan, lbrindle, sgraf
Target Milestone: 2.1.2   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 905096 (view as bug list) Environment:
Last Closed: 2012-06-26 00:14:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 905096    

Description Zdenek Kraus 2011-11-29 12:44:29 UTC 
Description of problem:
There are sasl authentication methods listed in chapter 7 messaging installation guide, but there is no notice or warning that you have to install additional cyrus-sasl package for use of the particular authentication method.

for example.: use of PLAIN requires cyrus-sasl-plain package to be installed.

then it should be noticed that particular method have to be enabled in config /etc/sasl2/qpidd.conf, for above example like:
mech_list: PLAIN

Version-Release number of selected component (if applicable):
2.1
  
Actual results:
authentication method listed

Expected results:
authentication method listed with required cyrus-sasl-* package
and notice how to configure particular methods, with example.
Comment 1 Tim Hildred 2011-12-16 01:55:16 UTC 
Hey Zdenek;

Are you suggesting that a couple extra steps be added to the "Enabling Using SASL Plain Authentication" procedure in chapter 7? And maybe a title change to "Installing and Enabling Using SASL Plain Authentication"?

Something like:
1. Install the cyrus-sasl-plain package by running the yum install cyrus-sasl-plain command.

2. Configure Messaging to use the plain authentication method by editing the  /etc/sasl2/qpidd.conf to read mech_list: PLAIN.

3. Add new users to the database by using the saslpasswd2 command.... (this is currently step one in the procedure)

Or alternatively, should a separate procedure be added before the existing one, called something like: "Installing and configuring packages for PLAIN Authentication", leaving the current procedure as it is? 

On a side note, it seems strange that a package required for the default authentication method is not installed by default?
Comment 3 Zdenek Kraus 2012-01-02 09:15:25 UTC 
Hi Tim,

this change looks good, but it'll be nice to have also a table with all authentication methods and required packages settings like:

Method      | packages         | /etc/sasl2/qpidd.conf
------------------------------------------------------
ANONYMOUS   | -                | -
PLAIN       | cyrus-sasl-plain | mech_list: PLAIN
DIGEST-MD5  | cyrus-sasl-md5   | mech_list: DIGEST-MD5
...


I think when package is not installed by default and you are forced to handle the authentication by yourself. That means you won't leave it to default PLAIN authentication, that is vulnerable to password evaesdropping, so insecure.
Comment 4 Tim Hildred 2012-01-11 04:49:42 UTC 
Hey again Zdnek;

Is that the complete table you would like me to add? You have a "..." at the end, but I don't know enough about it to figure out what the other options might be, and the associated changes to the qpidd.conf file. Could you please make a complete table in this bugzilla that I can add to the guide? I'll go ahead and add the table as you have it now, and if there are more, I can add them too. 

Thank you!

Happy new year!
Comment 6 Zdenek Kraus 2012-01-13 18:09:30 UTC 
Hi Tim,

I hope I'm aware of all methods (source [1],[2]):

Method      | packages          | /etc/sasl2/qpidd.conf
-------------------------------------------------------
ANONYMOUS   | -                 | -
PLAIN       | cyrus-sasl-plain  | mech_list: PLAIN
DIGEST-MD5  | cyrus-sasl-md5    | mech_list: DIGEST-MD5
CRAM-MD5    | cyrus-sasl-md5    | mech_list: CRAM-MD5
KERBEROS/   |
GSSAPI      | cyrus-sasl-gssapi | mech_list: GSSAPI

and then specify note or paragraph about, that it's possible to use more methods at once like: mech_list: PLAIN DIGEST-MD5.
and you can add note about GSSAPI, that it need to be configured very differently

finally add reference to Messaging User Guide chapter 10.1. User Authentication, where are additional informations described.

[1] http://qpid.apache.org/books/0.12/AMQP-Messaging-Broker-CPP-Book/html/ch01s05.html
[2] http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_MRG/2/html-single/Messaging_User_Guide/index.html#sect-Messaging_User_Guide-Security-User_Authentication
Comment 8 Zdenek Kraus 2012-01-23 10:27:43 UTC 
Hi Tim,

in CRAM-MD5 row in sasl2 configuration column has to be "mech_list: CRAM-MD5".
Everything else is okay.

-> ASSIGNED
Comment 9 Tim Hildred 2012-01-24 01:40:11 UTC 
Hey Zdenek;
I Committed revision 77366. However, the migration from dist-cvs to dist-git has basically broken our ability to stage books. When we know what's up, and what to do about it, I'll let you know.
Comment 12 Zdenek Kraus 2012-03-01 09:03:07 UTC 
It's correct. -> VERIFIED
Comment 13 Stanislav Graf 2012-07-26 13:14:07 UTC 
*** Bug 743620 has been marked as a duplicate of this bug. ***