alejandro-perez
commented
6 years ago IMO, I don't see much point on changing the username when rekeying the TR credential.
Open jennifer-richards opened 6 years ago
alejandro-perez
commented
6 years ago IMO, I don't see much point on changing the username when rekeying the TR credential.
jennifer-richards
commented
6 years ago That may be a quirk of the portal more than anything.
The current tids limitation of a single GSS name strikes me as arbitrary though - in principle I think a single tids instance could support multiple clients, but that currently requires a trust router in front of the tids.
Currently, the TIDS command line requires that we specify the gss name of the trustrouter that will contact the tids. However, when credentials change in the moonshot management portal, the gss name also changes. As a result, if a trustrouter needs to be rekeyed, all tids need to be reconfigured.
This is clearly the wrong answer. We need to do something better.
Options include:
Specify a wildcard match say *@apc_realm and have a radius attribute indicate whether the tids should trust the connection
update the portal to keep credential names when rekeying the trust router
Have the portal have user names like cred-xxx-org-yyy@apc_realm and do a whildcard match of *-org-yyy@apc_realm
Launchpad Details: #LP1320993 Sam Hartman - 2014-05-19 19:45:13 +0000