[kepler-dev] GAMA server for SEEK

Jing Tao tao at mercury.nceas.ucsb.edu
Fri Aug 26 10:34:39 PDT 2005

Hi, everyone:

After talking with Bill and Sandeep and reading the documentation, here is 
some thought about adopt GAMA and MyProxy which connects to LDAP as our 
authentication server.

To my understanding, MyProxy in NCSA is configured to use external 
authentication mechanisam - LDAP to verify identity. So user input usrname 
and password into MyProxy, and MyProxy connects PAM though PAMClient, 
then connects LDAP. LDAP will authenticate the user base on the given 
username and password. The authentication result (true or false) from LDAP will 
be sent back to MyProxy. Here is an issue there: current user only input 
the common name to MyProxy and MyProxy will construct distinguish name by 
some mechanism(not sure if it's by hard code or property file). Because 
we will support  different organization, the user name should be DN rather 
than CN when it is sent to MyProxy. Probably we need to modify the source code 
(Implemented by c).

CACL and MyProxy are my interested components in GAMA. Through some GAMA 
web service, CACL component is used to generate or delete user credential. 
It is the user management tools in GAMA. Through another web service, user 
credential can be copied to MyProxy. And through a web service in GAMA, 
user can login and get back a proxy which was created in MyProxy component.

Since MyProxy server is configurable in GAMA, it is reasonable way let 
GAMA server point to a MyProxy server which connect LDAP server. So we can 
use existed accounts in LDAP server for authentication.

But here is still some things need be considered:

1. GAMA server stores credential in central place, do we need this 
approach even our LDAP server is distruted? I think it is fine to store 
credential centrally because it will remove the LDAP admin's burden to 
manage them. And in this system, LDAP is an authentication tool and it don't 
need to handle the credential.

2. We need a mechanism to call GAMA web servcie to generate credential 
when a new user registers in the community.

3. For existed user in our LDAP system, we need a mechanism to generate 
credentials for them.

4. When user resets password, we need an mechanism to generate credential 
again(Maybe this mechanism is as same as the one for new user).

Here is just rough though, any comment and suggestion we be appreciated.


Jing Tao
National Center for Ecological
Analysis and Synthesis (NCEAS)
735 State St. Suite 204
Santa Barbara, CA 93101

More information about the Kepler-dev mailing list