mbjones
commented
6 years ago Original Redmine Comment Author Name: ben leinfelder (ben leinfelder) Original Date: 2013-02-13T06:26:06Z
On #1, yes, we are using a different account. I could have set up the test KNB IdP to use the o=NCEAS tree but I used the ou=Account tree to catch a more diverse set of users without committing to any one organizational affiliation. As far as I understand it, our IdP strategy is still in discussion even though we are running out of time to set up a production-ready IdP before a Morpho 2.0.0 release.
On #2, after a legacy "uid=X,o=Y" account has been mapped to its CILogon identity, the user will have the same level of access enjoyed previously. We should investigate the "owner" pathquery processing to make sure it honors this mapped access, but otherwise direct manipulations using a mapped identity should work without the user noticing any change.
In general I do feel as though there is still some uncertainty about how this will all be configured for our system (KNB) and for other similar systems that have been relying on our LDAP structure for many many years. The technical hurdles are less troublesome than the organizational/ID management decisions that need to be finalized at this point.
Author Name: Matt Jones (Matt Jones) Original Redmine Issue: 5864, https://projects.ecoinformatics.org/ecoinfo/issues/5864 Original Date: 2013-02-12 Original Assignee: ben leinfelder
Logging into the new version of Morpho using ECP has two negative side effects that need to be resolved.
1) The ECP login uses the ou=Account subtree, so my password changed and most users will not realize this, and thus will not be able to find their previously saved data packages
2) the DN for logged in users changes to the CILogon DN, which also causes their previously created data to not show up. Even once the user's old knb id is mapped to their new CILogon DN, its not clear if their data will be accessible in Morpho.