Date
Attendees
- Unknown User (dnthayer)
- Doug Fine
- Unknown User (awithers)
- Margaret Gelman
- Donald Petravick
- Brian Van Klaveren
- Unknown User (xiuqin)
- Unknown User (jar)
- Jacek Becla
Discussion items
- WebDAV demonstration with Kerberos/LDAP
- Doug Fine to give update on NCSA IAM User/Group webapp
- Globus Auth demo
- Next steps for LSST apps - demonstrating integration
jim - WebDAV is an important component, filesytems could be mounted via webdav
Demo showing Kerberos authentication and LDAP authorization using .htaccess files
alternative to .htaccess files - directory sets in httpd config files, successfully used by others
john - plan do stress testing with large filesets with webdav? encountered issues in the past
doug - present NCSA IAM plans
user creation via web forms, password changes via email
user can send invite to a group, but policy for creating groups is still in progress - currently done by NCSA admin personnel
email invite for group membership has a key which is unique and stays with the group
email sent to user with URL - group access asks if they have an NCSA username, lets them create new user, or select current user
currently adjusting the password rules to allow use of older passwords, still has 1 year expiration, and requirement for 4 char sets, 8 chars min
creation of accounts is on a different system from managing groups
group allows for asking questions of the user before granting access to group
no hierarchical groups - may look into it for LSST, still need to address group policy. LDAP handles hierarchical groups, but we aren't allowing them to be created.
currently using Kerberos backend. sssd gives kerberos ticket.
LDAP server is in testing that does OTP, and another that does OTP or NCSA kerberos
a week or two when it will be released - demo possible in 2 weeks
Use cases - adding scientists to groups for L2/L3 access - applicant would answer that form question. delegation of granting access is possible, but there is still an auditor that must be NCSA admin.
identity.ncsa.illinois.edu - very simple interface, but not completely functional - available only on ncsa subnet,
management of groups will be on a different site
xiuqin - would like the API description, is there a schedule of when the API definitions would be ready? kerberos and LDAP?
also interested in python tools access for api
might be good to start with dax and butler, but there are other things that we could try
doug - demo of group management interface - can create URL for the group, EULA for group, questionnaire for new users, invitee accounting history
meta-butler could contact multiple sites for data, thus deal with multiple authentications at the same time.
jim - Demo of Globus Auth group memberships