On Thursday, August 02, 2007 11:44:25 AM -0700 Russ Allbery
<[EMAIL PROTECTED]> wrote:
"Douglas E. Engert" <[EMAIL PROTECTED]> writes:
I agree with Ken that there may only be a handfull of special
cases. There may also be an approach 4.
4. Map compound K5 principal names, to name1/name2 rather
then name1.name2 in the PTS. i.e. use K5 separator and rules
rather then K4.
This would require a site to go through there PTS and look at current
entries. But it would be much more in line with K5. The mapping of
"host" to "rcmd" and other K4 mapping should also be looked at. If AFS
is dropping K4, then it should drop its conventions in the PTS too.
This makes migrating an existing site a huge pain and means that you can't
use both K4 and K5 at the same time easily without adding another PTS
entry for all PTS entries of this kind and then trying to find what ACLs
they're on.
... which is one of the reasons why the current plan does not involve ever
doing any such thing. Instead, the planned approach is to treat PTS entry
names as the independent strings they are, unrelated to any particular
authentication mechanism. The goal is for the ptserver to provide both
directory- and rule-based mappings from mechanism-specific authentication
names to PTS entries, with some default rules based on name mapping that
will "just work" for most sites.
-- Jeff
_______________________________________________
OpenAFS-devel mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-devel
