[OpenAFS] renaming principals (Was: One of my users has married - what to do? )

Tracy Di Marco White gendalia@iastate.edu
Sun, 29 Apr 2007 22:57:31 -0500


On 4/29/07, Ken Hornstein <kenh@cmf.nrl.navy.mil> wrote:
> And I think you're being rather optimistic about the user experiencing
> a service outage.  Unless you're able to change their Unix account,
> any ACLs, pts entry, etc etc, all at once, the user is going to have
> some kind of outage.  You could shorten it, but I don't see how you're
> going to make it zero without having everything using one mega database
> backend (I'm not talking about Moira ... this would have to handle
> every authorization request).

For us (iastate), they can certainly log into the unix account within a
few minutes, if moira's incrementals aren't sadly swamped. Windows
access would be a few minutes too, I think. We have moira send the
incrementals off to trigger all the updates to all our directories pretty
quickly.  LDAP & MIT KDC takes care of the OS X, Active Directory
takes care of the windows, and hesiod & MIT KDC for unix, and all
of those are triggered from moira very quickly. The user would even
be able to get their mail to their new username immediately, I believe,
just any mail they hadn't fetched to their old username may get
batched to them at the end of the day, when the old username
becomes a list. Looking at one rename, it seems to have taken
10 seconds for all the changes that moira pushes out to happen.

That's not zero time, but it's not bad. moira wasn't very busy then,
either.

-Tracy