|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: IKE and iSCSI Authentication> I really did understand what it take to associate the iSCSI nitiator Name > with the UserID. I said that an tight binding table was needed. I also > said that you have to be sure that it is kept in sync with the > Installations User/Password Database/Directory. You did not refute that, > just attempted to trivialize the relationship table that > needs to be built. > > We have never address this Table as part of iSCSI before, and it is > important that everyone understands this, and that we understand how it is > to be kept in sync with the installations User/Password Directory. As part > of doing this, we need to really understand what directories prevent our > use of iSCSI Node Names, and which permit it. We need to understand if it > is possible to have more then one UserID associated with a single iSCSI > Node Name, etc. John, The conventional name for this "Table" is an Access Control List (ACL). Between LUN masking/mapping and management products, this is already a familiar concept in storage systems. If the number of targets is a concern, there are well-known ways to make ACLs scalable. In practice, keeping ACLs in sync with the enterprise authentication system is not that difficult - only the userids appear in the ACLs, and hence they aren't changed when a password is changed because the password-related data is passed to an external server for verification. Administration of userid changes can consume some time, but administrators of secure internal web sites seem to have mastered this. Thanks, --David --------------------------------------------------- David L. Black, Senior Technologist EMC Corporation, 42 South St., Hopkinton, MA 01748 +1 (508) 435-1000 x75140 FAX: +1 (508) 497-8500 black_david@emc.com Mobile: +1 (978) 394-7754 ---------------------------------------------------
Home Last updated: Tue Sep 04 01:03:49 2001 6315 messages in chronological order |