Previous | Contents | Index |
Among other things, the PMDF security configuration can be used to cause users' authentication verifiers (passwords)---for instance, the password used when "logging in" during a POP or IMAP connection, or used for authentication between a SASL-enabled client and a SASL-enabled server---to be migrated from one authentication source to another. This is particularly likely to be relevant when users are being automatically migrated from one message store to another---say from the legacy (native) message store to the PMDF MessageStore or to the PMDF popstore. But it also has other applications: for instance, a SASL-enabled client can tell the server to change the storage of the user's password from one mechanism to another; or a site can choose to migrate users' authentication verifiers from a source on the PMDF system (whether system password file, PMDF password database, or PMDF user profiles for PMDF MessageStore and PMDF popstore users) to an external server, such as a RADIUS server.
Such transitioning is controlled via the various TRANSITION_*
PMDF
security configuration file options, described individually
in Section 14.2.2 above. As transitioning involves additional
considerations beyond the usual security configuration file
considerations, this section presents an additional brief description
of transitioning and the use of the TRANSITION_*
options
in combination.
The TRANSITION_CRITERIA
option specifies if and when to
transition users' authentication verifiers. The
TRANSITION_ADD
and TRANSITION_DELETE
options
control what storage mechanisms to add and delete when transitioning is
performed. TRANSITION_DELETE
actually deletes that
mechanism's storage of the authentication verifier (password); for
instance, if one is transitioning away from the PMDF password database,
the PMDF password database entry for that mechanism for the user's
authentication verifier is actually removed from the database. The
TRANSITION_DISABLE
option is less drastic than
TRANSITION_DELETE:
it marks that password as not usable,
but does not actually delete the password. For instance, when the
system password file is used, TRANSITION_DISABLE
on
OpenVMS marks the account as DISUSERed. In other words,
TRANSITION_DELETE
is not normally reversible, other than
by manually reentering the password entry back in, whereas
TRANSITION_DISABLE
is more easily reversible. The
TRANSITION_RETAIN_USERS
option specifies particular users,
typically users such as root
or SYSTEM
, who
are exempt from the TRANSITION_DISABLE
and
TRANSITION_DELETE
options. This would typically be used
when you want to force migration of authentication verifiers for normal
users, but not for the special privileged accounts. Finally, the
TRANSITION_FROM
option specifies a list of additional
authentication sources to check when transitioning.
Previous | Next | Contents | Index |