Bug 230881 - Document that LDAP + Kerberos doesn't work
Document that LDAP + Kerberos doesn't work
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: libuser (Show other bugs)
6
All Linux
medium Severity medium
: ---
: ---
Assigned To: Miloslav Trmač
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-03-04 00:55 EST by Jerry James
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-03-15 21:24:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch to allow building a libuser with a libuser_krb5.so that (mostly) works (156.95 KB, patch)
2007-03-04 00:55 EST, Jerry James
no flags Details | Diff

  None (edit)
Description Jerry James 2007-03-04 00:55:20 EST
Description of problem:
I spent a lot of time learning about LDAP and Kerberos so I could use the former
to manage user information in a cluster of machines, and the latter for
authentication.  I got everything set up, threw the switch ... and only then
discovered that this setup is not feasible because libuser_krb5.so is not
available (see bug 144057) and won't be made available (see bug 83365).  If you
are going to disable functionality like this, document it!  There is no mention
ANYWHERE in the release notes that people like me shouldn't sink a bunch of time
into this setup because system-config-users isn't going to work when you're
done.  The two bugs I referenced above are both closed, so doing a search on
open bugs to see if any problems lurk in that setup also turns up nothing. 
There are no warning signs anywhere, when there ought to be big blazing signs
demanding attention.

For the benefit of others with the same problem, apply the patch attached to
this bug report and rebuild libuser, and you'll be much happier.

For what it's worth, I understand the need to avoid exposing
internal/unsupported APIs.  However, I do not understand why that need is
considered of higher priority than not crippling the systems of users with LDAP
+ Kerberos setups.  That seems backwards to me.

Version-Release number of selected component (if applicable):
libuser-0.54.7-2

How reproducible:
Always

Steps to Reproduce:
1. Set up user authentication with Kerberos
2. Set up LDAP to manage user information
3. Try to use system-config-users
  
Actual results:
system-config-users fails with a message about a missing libuser_krb5.so

Expected results:
system-config-users ought to let me do what I want since the Fedora Core
documentation definitely leads one to believe that this is a reasonable setup. 
Fedora ought to be making it very clear to its users that it is not the right
distribution to use if one wants an LDAP + Kerberos setup.

Additional info:
Comment 1 Jerry James 2007-03-04 00:55:21 EST
Created attachment 149200 [details]
Patch to allow building a libuser with a libuser_krb5.so that (mostly) works
Comment 2 Miloslav Trmač 2007-03-15 21:24:33 EDT
Thanks for your report.

> If you
> are going to disable functionality like this, document it!
As far as I know the krb5 module was not disabled, it was simply never available
in RHL/Fedora.

> There is no mention
> ANYWHERE in the release notes that people like me shouldn't sink a bunch of time
> into this setup because system-config-users isn't going to work when you're
> done.
Because this isn't a change, it doesn't belong in the release notes.

> There are no warning signs anywhere, when there ought to be big blazing signs
> demanding attention.
Please file a but against the relevant documentation.  The only mention of krb5
in libuser I could find is the default config file, and I have removed the
section in CVS.

> For the benefit of others with the same problem, apply the patch attached to
> this bug report and rebuild libuser, and you'll be much happier.
I'm afraid this is not an acceptable solution of the problem.  It has all the
disadvantages of using /usr/include/kadm5, which the Kerberos maintainer
considers unsupportable, and has the additional disadvantage that libuser will
continue to compile even if the libkrb5clnt ABI changes incompatibly, without
even a warning.

> For what it's worth, I understand the need to avoid exposing
> internal/unsupported APIs.  However, I do not understand why that need is
> considered of higher priority than not crippling the systems of users with LDAP
> + Kerberos setups.  That seems backwards to me.
Using the internal API is a guaranteed disaster when the API changes.  Any
urgent krb5 security update might break the libuser module - maybe even
completely remove some functionality the libuser module depends on.

The krb5 module is not missing to achieve some idealistic cleanliness.  It is
missing because advertising Kerberos support in libuser now, when it is almost
certain it will break at some unexpected moment, is misleading the users.

Note You need to log in before you can comment on or make changes to this bug.