[OpenAFS] One of my users has married - what to do?

John Hascall john@iastate.edu
Sun, 29 Apr 2007 13:26:44 CDT


> John Hascall <john@iastate.edu> writes:
> > Not in any recent from-MIT version.  There used to be a
> >    rename_principal ${oldname} ${newname}
> > command in kadmin[.local] but it vanished at some point.
> > We've been adding it back in ever since here as we end
> > up doing a couple hundred renames a year.
> ...

> Oddly enough, we also add in support for rename_principal to our copy
> of MIT kerberos (umich.edu).  The main interesting complication is
> handling salt right.  We probably do several hundred of these a year.
> In addition to handling kerberos and pts, it's also necessary (in our
> environment) to rename the user volume, its mount point, the entry in
> the password file, the imap mailbox, the ldap directory entry, and to
> locate and change any ldap directory attributes that point to that
> directory entry.  Also there's a local oracle database with billing
> information, and some data in peoplesoft, and an entry in MS active
> directory, and another directory entry in Novell eDir, and...
> Needless to say we also discourage login changes.

   We used to charge $25 (waived for reason like marriage) to
   discourage it, because we have pretty much all those things
   to change as well, but since it's been totally automated
   we no longer charge anything.

> We don't yet have a way to change cached data in meatware.

   One thing our process does is add a maillist that forwards
   from the old name to the new name that auto-expires in a year,
   and we tell them they've got a year to update the data cached
   in "meatheads" :)

John