Manageability of larger networks
Andreas Heilwwagen
andreas.heilwagen at jamba.net
Sun Apr 13 07:48:26 EDT 2003
Hello,
I've been diving into the LDAPv3 / Kerberos V world for a
week now and there is one question on this list from
10/18/2002 without an answer which is very interesting
to me:
How am I supposed to manage a large number of
machines with lots of application-specific accounts
where I would like to autorize users to services using a
group/role concept.
Background: I have 80 physical users, 10 roles, >20
linux and solaris servers and about 12 application
users. The whole system is a high-available apache /
weblogic / oracle architecture.
The ideal solution from my point of view would be to
user expressions like */portaladmin@<MYREALM>
to authorize a group of trusted users to administrate
the java application servers.
The final list of kerberized applications should
include openssh, apache, cvs and some others
using LDAP backed by Kerberos.
Otherwise I would have to introduce 20x12x<n> entries
to .k5login or .k5users files.
What concept is usually used to manage separate
user groups in the Kerberos world?
Looking forward,
Andreas
More information about the Kerberos
mailing list