Occasional mention will be made of account types and services not provided by the GatorLink accounts, where these accounts must be considered.
|
When a user first connects to a terminal server, they submit a
username/password pair. If they have presented with a "/i" suffix, they are
assumed to be a GatorLink user. If they present a "/n" suffix, or none, then
they are authenticated as a RACF user, by reference to an external program.
GatorLink accounts are authenticated first against the DU database that contains the legacy UF Terminal Server account passwords. This database also includes records of all the GatorLink accounts, with notation dividing them into three groups:
Conflicted accounts have already had their authentication performed, and the already-known authentication status is returned to the terminal server. GatorLink accounts proceed to have their password authenticated against the Kerberos database. If their "UFTS" password was found to be correct, and different from their Kerberos password, then the Kerberos password is reset. This step accomplishes the basically painless population of the Kerberos database with up-to-date passwords. The kerberos authentication is then canonical. |
|
|
Authorization for GatorLink dialup is accomplished in two phases. By the time
the account is authenticated, one phase has already occurred: "non-dialup"
GatorLink accounts have been rejected. Further authorization proceeds on the
basis of GatorLink "Quota".
If a GatorLink account still has free quota availiable at login time, then it is allowed to log on. Otherwise, (If it is out of free time) the account is allowed to log on only if the account owner has elected to subsidize any excess time.
|
|
| GatorLink accounting data (along with all other terminal server accounting data) is created from processed TACACS logs every night; 80-column records are built, one per terminal session, and added to an MVS dataset via a LPR batch submission facility. |
 |
|
Existing accounting methods lack an easy way to asnswer the question "Who's on
now", which data is needed to determine wether any users have exceeded their
free quota. To address this, an accounting system which maintains some state
information is forseen.
Users who have not elected to subsidize excess dialup charges have a "disconnect time" associated with their record. Periodically, the Session Limiter scans this list of disconnect times. Those accounts which are closer to disconnect than some threshold (currently one hour) receive Email to that effect. Accounts for which "disconnect time" has passed are disconnected. On disconnect (either voluntary or forced) the accounting record for the session is generated in a table visible both to a DB2/6000 database instance, and the MVS DB/2 instance. Thus, profiling and estimates can be accurate as of who logged off moments ago, rather than only being accurate to the most recent midnight. |
 |
|
With the introduction of GatorLink accounts, it is envisioned that the
existing service of "Basic access" accounts will eventually be deprecated. In
order to serve the needs that "Basic access" currently fills, some method of
allocating additional quota is needed.
The details of this planned portion of the system are not yet established. |
|
