On Mon, Jun 4, 2012 at 1:18 PM, John Tang Boyland <[email protected]> wrote: > Or do you create the Heimdahl principals on demand? What > is the protocol?
Currently we do this on-demand, if a user requests it. In order to automate the Heimdal account creation, we are looking into building something around remctl. So if you had a TGT for "[email protected]", you could use remctl to create a new "[email protected]" principal, and there would be no need for an admin action. Ideally we'd wrap this in a web interface along with mod_auth_kerb, so users just have to click a button. Our remctl architecture is a little ways down on the todo list, though :) More and more resources are moving behind our organization's VPN, so it's more common for folks to have VPN access today than it used to be. Out of about 500 users, very few have requested a separate Heimdal password, and most just use the VPN. Like you point out, the dual-passwords thing is a real pain. So far it's the only way we've been able to solve this particular problem. - Ken _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
