Jeffrey Altman wrote:
Kim:
What you describe is how to change the authorization name for AFS.
Correct. In the context of ACLs.
The challenge is changing the authentication name without forcing a
password change. That is a Kerberos issue.
Then there is the logistics of ensuring that the authentication name
change and all of the authorization name changes for all services that
accept Kerberos authentication occur at approximately the same time.
Fun!
Jeffrey Altman
Secure Endpoints Inc.
Kim Kimball wrote:
I'm missing something WRT to Open AFS ACL changes.
Why not delete the PTS user entry "unmarriedname" and create the new PTS
entry "marriedname" with the same PTS ID?
ACLs store numeric PTSID; next time ACL entry is resolved the new name
will appear, retrieved from PTS DB.
Unless we're talking about non-AFS ACLs.
Kim
Jeffrey Altman wrote:
Christopher D. Clausen wrote:
Oh, I understand. But being forced to go to a specific location on
campus during specific times (which just happen to be the exact same
hours that I am busy) for a password reset is REALLY annoying. Even
if it only happens once in many years.
And its really bad when it happens on a Friday afternoon and you are
locked out all weekend.
When your legal name changes, you will either have a marriage
certificate or court papers that will have to be delivered to the
organization. This will be necessary for payroll, health insurance,
etc. At some point the person has to go to an office, deliver the
evidence of a change, get a new ID card, etc. At this time they can
perform the password change. Changing your legal name is a pain in the
ass. A password reset is going to be the least of your concerns.
Changing your account name because you want something other than
"[EMAIL PROTECTED]" as a user name is also something that should
be discouraged. The name change in the authentication system is not
the hard part. Its the ACL changes. What you really want is an
aliasing mechanism that permits the user to login with either the
old name or the new name and get the same identity. That would
provide the transition period that you desire. We just don't have
anything like that standardized, let alone implemented today.
Jeffrey Altman
Secure Endpoints Inc.
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
