[Kdc-info] notes from today
Nicolas Williams
Nicolas.Williams at sun.com
Thu Nov 13 02:23:29 EST 2003
I'm with Leif.
Basically, there will be policy _types_, each with a OID, and intances
of policy types will have names (and also UUIDs, but that's another
story), and, for each policy type there will be at most one policy
associated with a principal.
Note that dumb clients need not know about policy contents - just policy
names.
Smart clients may know how to deal with policy contents.
This allows for the addition of an acl policy. For a server like MIT's
kadmind there would be one and only one instance of an acl policy type
(e.g., "default") because there is a single acl (kadm5.acl) for all
princs in a realm (more or less :)
Nico
On Thu, Nov 13, 2003 at 04:56:46AM +0100, Leif Johansson wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> | I'm concerned about letting the ideas of ACLs existing show through
> | into the schema. I'm concerned that it may interact badly with ACL
> | systems people have and will provide insufficient value.
> |
>
> Me too.
>
> |
> | What functionality do you want and how will it be useful to you in a
> | cross-vendor environment.
> |
>
> Nothing. It will Not. I am pretty sure this is not an issue.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.7 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQE/swD+8Jx8FtbMZncRAkx0AJ9P6zLn8hXFq3nlciWXjSfl/s2h6QCbBbij
> rpEQHpdG1cZyEr5Q/xvdwsg=
> =A7Cx
> -----END PGP SIGNATURE-----
>
More information about the kdc-info
mailing list