[OpenAFS] Future of AFS? Interesting Ideas!?

Turbo Fredriksson turbo@bayour.com
25 Dec 2002 12:24:29 +0100


Quoting Paul Blackburn <mpb@est.ibm.com>:

> Martin Schulz wrote:
> 
> >Ken Hornstein <kenh@cmf.nrl.navy.mil> writes:
> >
> >
> >>And IMHO, OpenAFS is the sort of thing that should make use of a existing
> >>single sign-on infrastructure, rather than providing one itself.
> >>
> >
> > I can only second this. Yours,
> >
> Right, but what do you do for sites which do _not_ have
> an existing single sign-on infrastructure?

THEN you provide you own system. Doing this with 'hooks' in the software,
so that _it is possible_ to replace the provided infrastucture with something
else.

The idea of reinvent the wheel (incorporating Kerberos 4 in AFS for example)
is a bad idea. It might have been the only choise at the time, but NOW
it sucks! I don't want Kerberos 4, I want Kerberos 5. This can now be accomplished
by external meens, and that's exacly how it should be done. I know that
the AFS people are removing Kerberos 4 from OpenAFS, but this should be
the case with the ubick (?). I wan't LDAP, so I'd like the possibility to
do this...

> Also, how do you cope with all the possible types of
> single sign-on infrstructures that different sites may implement?

hooks. As long as the possibility is there, any site can do whatever they
please. Just provide a 'decent' default.

> It's a nightmare to try and provide something to please everyone.
> 
> IMHO, it makes good sense to provide the sign-on with AFS
> (eg kerberos). You can choose to implement something else
> if you wish to. AFAIK, AFS has always been capable of being
> used either with the kerberos kaserver supplied with it or
> with kerberos 5 from MIT.

Always? From what I can tell, the 'aklog' etc isn't THAT old...