>>>>> "Cantor," == Cantor, Scott <[log in to unmask]> writes:
Cantor,> On 2/28/14, 10:38 AM, "Cantor, Scott" <[log in to unmask]> wrote:
>>
>> No, that's not the relevant issue, I'm talking about GSS-API,
>> which is not specific to ABFAB. The only standard application
>> interface to a user identity is the GSS initiator name. If
>> extension naming attributes are to be used, then there has to be
>> a standard one that is intended to hold the user identity for
>> apps like SSH.
Cantor,> Or, of course, you convince every app to support fully
Cantor,> mappable user identity lookup into arbitrary naming
Cantor,> extensions. But I don't think that's likely to fly as well
Cantor,> as defining the equivalent of REMOTE_USER.
There are two widely implemented interfaces here. One of them is not
standardized, but I'm not sure I see why that's a problem in practice.
1) the GSS-API username. That's supposed to be some global identifier
in the scope of the authentication mechanism if present.
2) The authorization name (gss_localname and the local-login-user
attribute).
Applications would like it if there was only one name. However in
enterprise and authorization contexts, that just doesn't work. We do
provide consistent mechanism-independent interfaces for requesting these
two names.
If I understand Scott's concern, I believe the above is responsive.
I understand Scott would like local-login-user to be standardized
somewhere.
In principle, I agree that would be desirable, but think it is unlikely
to have a practical effect.
|