[OpenAFS] renaming principals

Jeffrey Altman jaltman@secure-endpoints.com
Mon, 07 May 2007 12:25:26 -0400


What you describe is how to change the authorization name for AFS.

The challenge is changing the authentication name without forcing a
password change.  That is a Kerberos issue.

Then there is the logistics of ensuring that the authentication name
change and all of the authorization name changes for all services that
accept Kerberos authentication occur at approximately the same time.

Jeffrey Altman
Secure Endpoints Inc.

Kim Kimball wrote:
> I'm missing something WRT to Open AFS ACL changes.
> Why not delete the PTS user entry "unmarriedname" and create the new PTS
> entry "marriedname" with the same PTS ID?
> ACLs store numeric PTSID; next time ACL entry is resolved the new name
> will appear, retrieved from PTS DB.
> Unless we're talking about non-AFS ACLs.
> Kim
> Jeffrey Altman wrote:
>> Christopher D. Clausen wrote:
>>> Oh, I understand.  But being forced to go to a specific location on
>>> campus during specific times (which just happen to be the exact same
>>> hours that I am busy) for a password reset is REALLY annoying.  Even
>>> if it only happens once in many years.
>>> And its really bad when it happens on a Friday afternoon and you are
>>> locked out all weekend.
>> When your legal name changes, you will either have a marriage
>> certificate or court papers that will have to be delivered to the
>> organization.  This will be necessary for payroll, health insurance,
>> etc.  At some point the person has to go to an office, deliver the
>> evidence of a change, get a new ID card, etc.  At this time they can
>> perform the password change.  Changing your legal name is a pain in the
>> ass.  A password reset is going to be the least of your concerns.
>> Changing your account name because you want something other than
>> "sexist-pig@MY-SCHOOL" as a user name is also something that should
>> be discouraged.  The name change in the authentication system is not
>> the hard part.  Its the ACL changes.  What you really want is an
>> aliasing mechanism that permits the user to login with either the
>> old name or the new name and get the same identity.  That would
>> provide the transition period that you desire.  We just don't have
>> anything like that standardized, let alone implemented today.
>> Jeffrey Altman
>> Secure Endpoints Inc.
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info