[OpenAFS] renaming principals

Kim Kimball dhk@ccre.com
Tue, 08 May 2007 07:58:46 -0700


Jeffrey Altman wrote:
> Kim:
>
> What you describe is how to change the authorization name for AFS.
>
>   
Correct.  In the context of ACLs.
> The challenge is changing the authentication name without forcing a
> password change.  That is a Kerberos issue.
>
> Then there is the logistics of ensuring that the authentication name
> change and all of the authorization name changes for all services that
> accept Kerberos authentication occur at approximately the same time.
>
>   
Fun!
> Jeffrey Altman
> Secure Endpoints Inc.
>
> Kim Kimball wrote:
>   
>> I'm missing something WRT to Open AFS ACL changes.
>>
>> Why not delete the PTS user entry "unmarriedname" and create the new PTS
>> entry "marriedname" with the same PTS ID?
>>
>> ACLs store numeric PTSID; next time ACL entry is resolved the new name
>> will appear, retrieved from PTS DB.
>>
>> Unless we're talking about non-AFS ACLs.
>>
>> Kim
>>
>>
>>
>> Jeffrey Altman wrote:
>>     
>>> Christopher D. Clausen wrote:
>>>  
>>>       
>>>> Oh, I understand.  But being forced to go to a specific location on
>>>> campus during specific times (which just happen to be the exact same
>>>> hours that I am busy) for a password reset is REALLY annoying.  Even
>>>> if it only happens once in many years.
>>>>
>>>> And its really bad when it happens on a Friday afternoon and you are
>>>> locked out all weekend.
>>>>     
>>>>         
>>> When your legal name changes, you will either have a marriage
>>> certificate or court papers that will have to be delivered to the
>>> organization.  This will be necessary for payroll, health insurance,
>>> etc.  At some point the person has to go to an office, deliver the
>>> evidence of a change, get a new ID card, etc.  At this time they can
>>> perform the password change.  Changing your legal name is a pain in the
>>> ass.  A password reset is going to be the least of your concerns.
>>>
>>> Changing your account name because you want something other than
>>> "sexist-pig@MY-SCHOOL" as a user name is also something that should
>>> be discouraged.  The name change in the authentication system is not
>>> the hard part.  Its the ACL changes.  What you really want is an
>>> aliasing mechanism that permits the user to login with either the
>>> old name or the new name and get the same identity.  That would
>>> provide the transition period that you desire.  We just don't have
>>> anything like that standardized, let alone implemented today.
>>>
>>> Jeffrey Altman
>>> Secure Endpoints Inc.
>>>
>>>
>>>
>>>   
>>>       
>> _______________________________________________
>> OpenAFS-info mailing list
>> OpenAFS-info@openafs.org
>> https://lists.openafs.org/mailman/listinfo/openafs-info
>>     
>
>
>
>