openid support for f9?

Simo Sorce ssorce at redhat.com
Thu Nov 8 17:54:12 UTC 2007


On Thu, 2007-11-08 at 09:01 -0700, Richi Plana wrote:
> Certainly an interesting concept, but that would pull us way too far
> into the Internet space (as opposed to local or even private domain
> space). How would an openid user map to Linux in terms of UID? Would a
> uid be assigned on a local machine? On the domain (if the machine the
> person is logging into happens to be a part of a bigger network)? Does
> the OpenID spec have provisions for account authorization and
> information? There are still some UNIX-y things needed by current
> distributions that we have to find solutions for.

We have the problem of UIDs in the enterprise space right now even
without OpenID in the mix.

The problem being Posix and Linux/UNIX really are not "network-aware"
when it comes to identity.

The UID/GID are *local* by nature. All tricks used up today like NIS and
LDAP to sync UIDs/GIDs all over, are just *bad* hacks.

There are only 2 solutions that have a long term breath.

1. move to 128bit UID/GIDs that are really UUIDs
  problem is, most apps wont work, need changes in the kernel, in a
word:
	unachievable

2. Make UIDs/GIDs *only* a local thing.
  this mean changes in the vfs only, you need a mapping facility so that
you can translate them for (network) file systems.

For network file systems it is probably easier.
I expect preconcept opposition for normal filesystems tho. But that is
needed too, because if you want to use an USB pen drive or external
disk, or even an iSCSI partition you need to be able to map a UUID
stored on the filesystem to the local UID that make sense for the kernel
and all existing applications, or you are back requiring all machines in
the world synchronize with your own machines UIDs and GIDs.

/Simo "I do not except anything but a flame from this email" sadly.




More information about the fedora-devel-list mailing list