Hide Forgot
Description of problem: There are sasl authentication methods listed in chapter 7 messaging installation guide, but there is no notice or warning that you have to install additional cyrus-sasl package for use of the particular authentication method. for example.: use of PLAIN requires cyrus-sasl-plain package to be installed. then it should be noticed that particular method have to be enabled in config /etc/sasl2/qpidd.conf, for above example like: mech_list: PLAIN Version-Release number of selected component (if applicable): 2.1 Actual results: authentication method listed Expected results: authentication method listed with required cyrus-sasl-* package and notice how to configure particular methods, with example.
Hey Zdenek; Are you suggesting that a couple extra steps be added to the "Enabling Using SASL Plain Authentication" procedure in chapter 7? And maybe a title change to "Installing and Enabling Using SASL Plain Authentication"? Something like: 1. Install the cyrus-sasl-plain package by running the yum install cyrus-sasl-plain command. 2. Configure Messaging to use the plain authentication method by editing the /etc/sasl2/qpidd.conf to read mech_list: PLAIN. 3. Add new users to the database by using the saslpasswd2 command.... (this is currently step one in the procedure) Or alternatively, should a separate procedure be added before the existing one, called something like: "Installing and configuring packages for PLAIN Authentication", leaving the current procedure as it is? On a side note, it seems strange that a package required for the default authentication method is not installed by default?
Hi Tim, this change looks good, but it'll be nice to have also a table with all authentication methods and required packages settings like: Method | packages | /etc/sasl2/qpidd.conf ------------------------------------------------------ ANONYMOUS | - | - PLAIN | cyrus-sasl-plain | mech_list: PLAIN DIGEST-MD5 | cyrus-sasl-md5 | mech_list: DIGEST-MD5 ... I think when package is not installed by default and you are forced to handle the authentication by yourself. That means you won't leave it to default PLAIN authentication, that is vulnerable to password evaesdropping, so insecure.
Hey again Zdnek; Is that the complete table you would like me to add? You have a "..." at the end, but I don't know enough about it to figure out what the other options might be, and the associated changes to the qpidd.conf file. Could you please make a complete table in this bugzilla that I can add to the guide? I'll go ahead and add the table as you have it now, and if there are more, I can add them too. Thank you! Happy new year!
Hi Tim, I hope I'm aware of all methods (source [1],[2]): Method | packages | /etc/sasl2/qpidd.conf ------------------------------------------------------- ANONYMOUS | - | - PLAIN | cyrus-sasl-plain | mech_list: PLAIN DIGEST-MD5 | cyrus-sasl-md5 | mech_list: DIGEST-MD5 CRAM-MD5 | cyrus-sasl-md5 | mech_list: CRAM-MD5 KERBEROS/ | GSSAPI | cyrus-sasl-gssapi | mech_list: GSSAPI and then specify note or paragraph about, that it's possible to use more methods at once like: mech_list: PLAIN DIGEST-MD5. and you can add note about GSSAPI, that it need to be configured very differently finally add reference to Messaging User Guide chapter 10.1. User Authentication, where are additional informations described. [1] http://qpid.apache.org/books/0.12/AMQP-Messaging-Broker-CPP-Book/html/ch01s05.html [2] http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_MRG/2/html-single/Messaging_User_Guide/index.html#sect-Messaging_User_Guide-Security-User_Authentication
Hi Tim, in CRAM-MD5 row in sasl2 configuration column has to be "mech_list: CRAM-MD5". Everything else is okay. -> ASSIGNED
Hey Zdenek; I Committed revision 77366. However, the migration from dist-cvs to dist-git has basically broken our ability to stage books. When we know what's up, and what to do about it, I'll let you know.
It's correct. -> VERIFIED
*** Bug 743620 has been marked as a duplicate of this bug. ***