Skip to Content.
Sympa Menu

cat-users - Re: [[cat-users]] CAT installer broken on TTLS PAP

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] CAT installer broken on TTLS PAP


Chronological Thread 
  • From: Tomasz Wolniewicz <twoln AT umk.pl>
  • To: Stefan Winter <stefan.winter AT restena.lu>, cat-users AT lists.geant.org, "Cecchini, Paolo" <paolo.cecchini AT uniurb.it>
  • Subject: Re: [[cat-users]] CAT installer broken on TTLS PAP
  • Date: Wed, 24 Oct 2018 08:38:12 +0200
  • Openpgp: preference=signencrypt

I have also removed the check form the Linux installer.
Tomasz


W dniu 23.10.2018 o 16:25, Stefan Winter pisze:
> Hi,
>
>>   So indeed the installer has a problem. We did not think of a situation
>> where an IdP would be using inner identifiers like user@staff
>> We have been asked many times to add some identifier checks and we have
>> two new options on that - the admins now can test if the realm in user's
>> identifier matches the realm provided in the configuration or even
>> prefill the username field with "@realm". With no options set, we still
>> run some basic checks like multiple @ signs or a dot immediately after @
>> or no dot in the realm part. This last test causes the error in Paolo's
>> case. It looks like we have no choice but to drop this one test as it
>> may be doing more harm than good.
> Just for the sake of making an argument, I'd like to point out that
> something@staff is not a valid user identifier in the sense of the
> IETF's "Network Access Identifier (NAI)" RFC. Nor is something with two
> @@ signs in it or an @. .
>
> If this kind of identifier is used /without/ enabling outer identity
> with a correct NAI, it leads to actual breakage when roaming. I'm
> assuming that this IdP has thus turned on outer identities, making this
> internal use "okay".
>
> So, I think in general we have a point in testing for these conditions.
> But since reality shows us that these identifiers are in actual
> deployment, and our sense for standards-correctness is getting in the
> way of real deployments, I'm okay with removing the check.
>
> Greetings,
>
> Stefan

--
Tomasz Wolniewicz
twoln AT umk.pl http://www.home.umk.pl/~twoln

Uczelniane Centrum Informatyczne Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University,
pl. Rapackiego 1, Torun pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750 fax: +48-56-622-1850 tel kom.: +48-693-032-576


Attachment: smime.p7s
Description: Kryptograficzna sygnatura S/MIME




Archive powered by MHonArc 2.6.19.

Top of Page