diff -Nur krb5-1.6/src/lib/kadm5/srv/server_acl.c krb5-1.6.dop/src/lib/kadm5/srv/server_acl.c
--- krb5-1.6/src/lib/kadm5/srv/server_acl.c	2006-06-16 01:58:42.000000000 -0500
+++ krb5-1.6.dop/src/lib/kadm5/srv/server_acl.c	2007-03-30 14:57:19.000000000 -0500
@@ -543,7 +543,8 @@
 /*
  * kadm5int_acl_match_data()	- See if two data entries match.
  *
- * Wildcarding is only supported for a whole component.
+ * Wildcarding is only supported at the beginning, end, or as a
+ * whole component.
  */
 static krb5_boolean
 kadm5int_acl_match_data(e1, e2, targetflag, ws)
@@ -552,12 +553,37 @@
     wildstate_t	*ws;
 {
     krb5_boolean	retval;
+    int cmplen=0;
+    int e2offset;
+    int e1offset;
 
     DPRINT(DEBUG_CALLS, acl_debug_level, 
 	   ("* acl_match_entry(%s, %s)\n", e1->data, e2->data));
     retval = 0;
-    if (!strncmp(e1->data, "*", e1->length)) {
-	retval = 1;
+
+    if(strchr(e1->data, '*')){
+        if(e1->length == 1){
+	  /* whole component matches wildcard */
+	    retval = 1;
+
+	}else if(e1->data[0] == '*'){
+	    /* wildcard at beginning of component */
+	    cmplen = e1->length - 1;
+	    e2offset = e2->length - cmplen;
+	    e1offset = 1;
+	  
+	}else if(e1->data[e1->length-1] == '*'){
+	    /* wildcard at end of component */
+	    cmplen = e1->length - 1;
+	    e2offset=0;
+	    e1offset=0;
+	}
+	
+	/* Compare beginning or end of e2->data depending on offsets above */
+	if((strncmp(e1->data+e1offset, e2->data+e2offset, cmplen) == 0) && (e2offset >= 0) && (cmplen != 0)){
+	    retval = 1;
+	}
+	
 	if (ws && !targetflag) {
 	    if (ws->nwild >= 9) {
 		DPRINT(DEBUG_ACL, acl_debug_level,