Re: [OpenAFS-devel] "prdb extensions" vs gssklog-map

Mon, 24 Oct 2005 06:49:09 -0700 

Adam Megacz wrote:

> Just checking if I understand this correctly... the "prdb extensions"
> described here:
> 
>   http://www.afsig.se/snipsnap/space/prdb+extensions
> 
> amount to a generalization of pts that would let it do what gssklogd
> currently does, right?  And, if I'm not mistaken, the new API calls
> serve a function similar to gssklogd's "gssklog-map" file, right?
> 
>   - a

Many organizations using either gssklogd or versions of krb524d or even
krb525d perform client identity name translation from the name known to
the authentication service to a name known to the AFS Protection Service.

This is often done because there is more than a single Kerberos realm
that is used within the organization and there is a desire for all of
the principals in all of the realms to be treated as the AFS local realm.

In the case of GSS, name translation is performed because the name
exported by the GSS-API when using X.509 certificates is not a Kerberos
principal.   Hence, a PTS name mapping must be provided.

In organizations that have strong auditing requirements such as U.S.
government agencies with export control policies and publicly traded
corporations in U.S. that are governed by Sarbanes-Oxley, name
translations of this sort are extremely hard to justify to the auditors.

Instead what is desired is to store as part of the AFS Protection
database all of the authentication names that are aliases for the same
PTS ID.  This has multiple benefits:

(1) sites that currently require the use of a service simply to perform
    name translation can remove the service entirely.   Token
    acquisition will be faster and one less IP port needs to be open in
    the firewalls.

(2) auditors can generate reports from the AFS server audit logs and
    obtain a list of all of the names that represent the PTS ID used to
    perform a single action

(3) When adding PTS IDs to an ACL any of the authentication names can be
    used.

(4) When listing PTS IDs assigned to an ACL, all of the authentication
    names can be listed.

Jeffrey Altman

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to