[kepler-dev] GAMA server for SEEK
tao at mercury.nceas.ucsb.edu
Fri Aug 26 10:34:39 PDT 2005
After talking with Bill and Sandeep and reading the documentation, here is
some thought about adopt GAMA and MyProxy which connects to LDAP as our
To my understanding, MyProxy in NCSA is configured to use external
authentication mechanisam - LDAP to verify identity. So user input usrname
and password into MyProxy, and MyProxy connects PAM though PAMClient,
then connects LDAP. LDAP will authenticate the user base on the given
username and password. The authentication result (true or false) from LDAP will
be sent back to MyProxy. Here is an issue there: current user only input
the common name to MyProxy and MyProxy will construct distinguish name by
some mechanism(not sure if it's by hard code or property file). Because
we will support different organization, the user name should be DN rather
than CN when it is sent to MyProxy. Probably we need to modify the source code
(Implemented by c).
CACL and MyProxy are my interested components in GAMA. Through some GAMA
web service, CACL component is used to generate or delete user credential.
It is the user management tools in GAMA. Through another web service, user
credential can be copied to MyProxy. And through a web service in GAMA,
user can login and get back a proxy which was created in MyProxy component.
Since MyProxy server is configurable in GAMA, it is reasonable way let
GAMA server point to a MyProxy server which connect LDAP server. So we can
use existed accounts in LDAP server for authentication.
But here is still some things need be considered:
1. GAMA server stores credential in central place, do we need this
approach even our LDAP server is distruted? I think it is fine to store
credential centrally because it will remove the LDAP admin's burden to
manage them. And in this system, LDAP is an authentication tool and it don't
need to handle the credential.
2. We need a mechanism to call GAMA web servcie to generate credential
when a new user registers in the community.
3. For existed user in our LDAP system, we need a mechanism to generate
credentials for them.
4. When user resets password, we need an mechanism to generate credential
again(Maybe this mechanism is as same as the one for new user).
Here is just rough though, any comment and suggestion we be appreciated.
National Center for Ecological
Analysis and Synthesis (NCEAS)
735 State St. Suite 204
Santa Barbara, CA 93101
More information about the Kepler-dev