[OpenAFS] renaming principals

Kim Kimball dhk@ccre.com
Mon, 07 May 2007 09:20:25 -0700

I'm missing something WRT to Open AFS ACL changes.

Why not delete the PTS user entry "unmarriedname" and create the new PTS 
entry "marriedname" with the same PTS ID?

ACLs store numeric PTSID; next time ACL entry is resolved the new name 
will appear, retrieved from PTS DB.

Unless we're talking about non-AFS ACLs.


Jeffrey Altman wrote:
> Christopher D. Clausen wrote:
>> Oh, I understand.  But being forced to go to a specific location on 
>> campus during specific times (which just happen to be the exact same 
>> hours that I am busy) for a password reset is REALLY annoying.  Even if 
>> it only happens once in many years.
>> And its really bad when it happens on a Friday afternoon and you are 
>> locked out all weekend.
> When your legal name changes, you will either have a marriage
> certificate or court papers that will have to be delivered to the
> organization.  This will be necessary for payroll, health insurance,
> etc.  At some point the person has to go to an office, deliver the
> evidence of a change, get a new ID card, etc.  At this time they can
> perform the password change.  Changing your legal name is a pain in the
> ass.  A password reset is going to be the least of your concerns.
> Changing your account name because you want something other than
> "sexist-pig@MY-SCHOOL" as a user name is also something that should
> be discouraged.  The name change in the authentication system is not
> the hard part.  Its the ACL changes.  What you really want is an
> aliasing mechanism that permits the user to login with either the
> old name or the new name and get the same identity.  That would
> provide the transition period that you desire.  We just don't have
> anything like that standardized, let alone implemented today.
> Jeffrey Altman
> Secure Endpoints Inc.