Bug 758151 - chapter 7: No information of cyrus-sasl packages requirement for particular authentication methods
Summary: chapter 7: No information of cyrus-sasl packages requirement for particular a...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: Messaging_Installation_and_Configuration_Guide
Version: Development
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: 2.1.2
: ---
Assignee: Tim Hildred
QA Contact: Zdenek Kraus
URL:
Whiteboard:
: 743620 (view as bug list)
Depends On:
Blocks: 905096
TreeView+ depends on / blocked
 
Reported: 2011-11-29 12:44 UTC by Zdenek Kraus
Modified: 2013-01-28 15:10 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 905096 (view as bug list)
Environment:
Last Closed: 2012-06-26 00:14:59 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 743620 0 unspecified CLOSED Missing information about cyrus-sasl-plain package 2021-02-22 00:41:40 UTC
Red Hat Bugzilla 754228 1 None None None 2021-01-20 06:05:38 UTC

Internal Links: 743620 754228

Description Zdenek Kraus 2011-11-29 12:44:29 UTC
Description of problem:
There are sasl authentication methods listed in chapter 7 messaging installation guide, but there is no notice or warning that you have to install additional cyrus-sasl package for use of the particular authentication method.

for example.: use of PLAIN requires cyrus-sasl-plain package to be installed.

then it should be noticed that particular method have to be enabled in config /etc/sasl2/qpidd.conf, for above example like:
mech_list: PLAIN

Version-Release number of selected component (if applicable):
2.1
  
Actual results:
authentication method listed

Expected results:
authentication method listed with required cyrus-sasl-* package
and notice how to configure particular methods, with example.

Comment 1 Tim Hildred 2011-12-16 01:55:16 UTC
Hey Zdenek;

Are you suggesting that a couple extra steps be added to the "Enabling Using SASL Plain Authentication" procedure in chapter 7? And maybe a title change to "Installing and Enabling Using SASL Plain Authentication"?

Something like:
1. Install the cyrus-sasl-plain package by running the yum install cyrus-sasl-plain command.

2. Configure Messaging to use the plain authentication method by editing the  /etc/sasl2/qpidd.conf to read mech_list: PLAIN.

3. Add new users to the database by using the saslpasswd2 command.... (this is currently step one in the procedure)

Or alternatively, should a separate procedure be added before the existing one, called something like: "Installing and configuring packages for PLAIN Authentication", leaving the current procedure as it is? 

On a side note, it seems strange that a package required for the default authentication method is not installed by default?

Comment 3 Zdenek Kraus 2012-01-02 09:15:25 UTC
Hi Tim,

this change looks good, but it'll be nice to have also a table with all authentication methods and required packages settings like:

Method      | packages         | /etc/sasl2/qpidd.conf
------------------------------------------------------
ANONYMOUS   | -                | -
PLAIN       | cyrus-sasl-plain | mech_list: PLAIN
DIGEST-MD5  | cyrus-sasl-md5   | mech_list: DIGEST-MD5
...


I think when package is not installed by default and you are forced to handle the authentication by yourself. That means you won't leave it to default PLAIN authentication, that is vulnerable to password evaesdropping, so insecure.

Comment 4 Tim Hildred 2012-01-11 04:49:42 UTC
Hey again Zdnek;

Is that the complete table you would like me to add? You have a "..." at the end, but I don't know enough about it to figure out what the other options might be, and the associated changes to the qpidd.conf file. Could you please make a complete table in this bugzilla that I can add to the guide? I'll go ahead and add the table as you have it now, and if there are more, I can add them too. 

Thank you!

Happy new year!

Comment 6 Zdenek Kraus 2012-01-13 18:09:30 UTC
Hi Tim,

I hope I'm aware of all methods (source [1],[2]):

Method      | packages          | /etc/sasl2/qpidd.conf
-------------------------------------------------------
ANONYMOUS   | -                 | -
PLAIN       | cyrus-sasl-plain  | mech_list: PLAIN
DIGEST-MD5  | cyrus-sasl-md5    | mech_list: DIGEST-MD5
CRAM-MD5    | cyrus-sasl-md5    | mech_list: CRAM-MD5
KERBEROS/   |
GSSAPI      | cyrus-sasl-gssapi | mech_list: GSSAPI

and then specify note or paragraph about, that it's possible to use more methods at once like: mech_list: PLAIN DIGEST-MD5.
and you can add note about GSSAPI, that it need to be configured very differently

finally add reference to Messaging User Guide chapter 10.1. User Authentication, where are additional informations described.

[1] http://qpid.apache.org/books/0.12/AMQP-Messaging-Broker-CPP-Book/html/ch01s05.html
[2] http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_MRG/2/html-single/Messaging_User_Guide/index.html#sect-Messaging_User_Guide-Security-User_Authentication

Comment 8 Zdenek Kraus 2012-01-23 10:27:43 UTC
Hi Tim,

in CRAM-MD5 row in sasl2 configuration column has to be "mech_list: CRAM-MD5".
Everything else is okay.

-> ASSIGNED

Comment 9 Tim Hildred 2012-01-24 01:40:11 UTC
Hey Zdenek;
I Committed revision 77366. However, the migration from dist-cvs to dist-git has basically broken our ability to stage books. When we know what's up, and what to do about it, I'll let you know.

Comment 12 Zdenek Kraus 2012-03-01 09:03:07 UTC
It's correct. -> VERIFIED

Comment 13 Stanislav Graf 2012-07-26 13:14:07 UTC
*** Bug 743620 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.