Manageability of larger networks

Andreas Heilwwagen andreas.heilwagen at
Sun Apr 13 07:48:26 EDT 2003


I've been diving into the LDAPv3 / Kerberos V world for a
week now and there is one question on this list from
10/18/2002 without an answer which is very interesting
to me:

  How am I supposed to manage a large number of
  machines with lots of application-specific accounts
  where I would like to autorize users to services using a
  group/role concept.

Background: I have 80 physical users, 10 roles, >20
linux and solaris servers and about 12 application
users. The whole system is a high-available apache /
weblogic / oracle architecture.

The ideal solution from my point of view would be to
user expressions like */portaladmin@<MYREALM>
to authorize a group of trusted users to administrate
the java application servers.
The final list of kerberized applications should
include openssh, apache, cvs and some others
using LDAP backed by Kerberos.

Otherwise I would have to introduce 20x12x<n> entries
to .k5login or .k5users files.

What concept is usually used to manage separate
user groups in the Kerberos world?

Looking forward,


More information about the Kerberos mailing list