Hi Kent, all,
It is not my intent to start a long debate on design decisions long past.
That said ...
> I happen to agree
> ... transparent registered mode, where the token is not translated
I have no trouble with the format itself really, other than it is
different from what we see in the SRSS Web Admin (makes trouble-shooting
harder). The grief comes from changing the format, or having different
values for it derived from the same user.
"Logical token" (or pick a different term) would make great sense if we
could get the same format and value for the same user credentials no
matter where it came from. So, for example, if user login were through
the card (including aliased card), we'd get the same logical token as when
that same user logs into the system cardless, via regional hotdesking
through a FoG with different policy, etc. THAT would be cool!
-- Peter
Kent Peacock <kent.peac...@sun.com>
Sent by: sunray-users-boun...@filibeto.org
27/05/2009 11:21
Please respond to Kent.Peacock; Please respond to SunRay-Users mailing
list
To: SunRay-Users mailing list <sunray-users@filibeto.org>
cc:
Subject: Re: [SunRay-Users] Strange SUN_SUNRAY_TOKEN
On 05/27/09 07:47, peter_blatherw...@mitel.com wrote:
>
> Hello Wouter all,
>
> Yes, this is a known SRSS behaviour. When policy is switched from
> access = all to/from access = registered-token-only, the format provided
> by $SUN_SUNRAY_TOKEN changes, for the very same user / card ID, as you
> point out. The user.xxxx format is the logical token ID, whereas the
> other is the actual card ID.
>
> Adding to the fun, we have also found that the *value* generated for the
> logical token can be different from different Sun Ray Servers, say
> servers that are not in a SRSS Failover Group. This in turn means that
> not only is the format different, but different IDs are presented to
> represent the same user -- no end of grief can come from that. And, i
> believe if you switch to/from registered-token-only and back again, the
> value generated for the logical token can even change on the same Sun
> Ray Server. Using card id format (access = all policy) suffers none of
> these issues.
>
> (I would argue this behaviour is not a good thing, but that's just my
> humble opinion. ;-)
I happen to agree. I believe we should have done a transparent
registered mode, where the token is not translated, just registered,
years ago. The "user.xxx" tokens are useless, if not worse, given the
deficiencies you cite.
Kent
_______________________________________________
SunRay-Users mailing list
SunRay-Users@filibeto.org
http://www.filibeto.org/mailman/listinfo/sunray-users
_______________________________________________
SunRay-Users mailing list
SunRay-Users@filibeto.org
http://www.filibeto.org/mailman/listinfo/sunray-users
