If an user has multiple accounts there's a chance he has multiple smart cards too. Anyway, this won't be a problem in my environment.
Not a chance - unless the previous CAC card is expired.
2. The certificate (at least in the DoD CAC case) has no username other than the DN name, which doesn't match anybodys idea of a login name.
I'm sorry, but I'm not sure what DoD CAC is. I presume it's a Department of Defense of the US thing but, since I'm european, I'm not tied by this contraint.
I think you'll find that there are too many alternatives to be able to implement something generic.
Now for a SIMPLE case where something could be done:
First the Assumptions: 1. only one login name for a user 2. a network information server is available (LDAP, NIS, ...) 3. Unix or Unix like environment...
THEN: I'd suggest trying to extract the id number from the CN field.. or just use the entire CN field to lookup the login via the network information structure.
Then use the login id associated with the CN/id number.
mmm... this could be a solution...
Uhhhmmm... one possibility is to put the users CN field in the UNIX gcos/comment field of the logins password entry. Then you wouldn't have to explicitly implement the network lookup function. Though you do have to verify that a user cannot change the gcos/comment field (some systems do allow it to be altered).
mmmm... i don't like very much this solution, although it seems easy to implement...
If you needed to extend it to multiple logins, then you have to present a menu (at a minimum) to allow the user to select from.
yes, good solution... If the certificates had also the information on the domain (for instance from the email or from other atributes) the possible certificates can be filtered out, and if remaining are more than 1 then let the user decide (or let an app configure in the card which one to use).
I think smart card login should be as fast as possible.
note - this does nothing to validate users to remote computation/batch/file servers.
[...]
> The implemented sequence for xdm would be: [...]
Thanks very much for all the info about xdm. I've concluded that patching the desktop manager is necessary.
Regards,
-- Josep Mon�s [EMAIL PROTECTED] C3PO, S.L.
_______________________________________________ Muscle mailing list [EMAIL PROTECTED] http://lists.drizzle.com/mailman/listinfo/muscle
