The VT Middleware group has made libraries available that support authentication against the PID directory, as well as access to other directory information, at http://www.middleware.vt.edu/tools/eddo.html. There are (at least) two issues that need to be addressed in order to use these services within BRIDGE:
- Security. The Middleware group's software uses encrypted connections, but CORK currently does not. We need to at least provide encrypted transmission of login information.
- A potential problem is that we would also like to move towards non-blocking I/O (on the server side) for greater scalability, but direct support for encrypted nio connections will not be available until JDK 1.5. It appears, however, that we should be able to use other JCE packages to build encryption on top of nio connections. The details and performance implications of this approach need to be explored.
- Security of web-based interactions also needs to be investigated. We may be able to use Apache's
mod_ssl for this (http://www.modssl.org/example/).
- Account integration. Beyond authenticating the CORK connection, how should PID accounts be handled within BRIDGE?
Possible solutions to the account integration problem include:
- Provide a new kind of account database object (similar to the "local accounts database") that would authenticate against PIDs. This could even simply be another option on the current accounts object. To make this practical, it would be useful to finish support for guest account home directory setup, so that conferences and other per-user data is preserved.
- This approach (particularly if built as an extension to the current accounts object) will result in
guest.XXXXX sessions, which will be the desired behavior in some applications, but not in others.
- Add a PID authenticator to the list of Authenticators currently set up by the server. Unlike the accounts object approach, this would make PID-based logins "first class" users in the system, and not guests.
- This may be problematic for existing systems that have data restricted to "anybody except guests".
- Home directories will need to be set up on first login, unless lack of directory is used as a test for "accounthood".
|