Manageability of larger networks
andreas.heilwagen at jamba.net
Sun Apr 13 07:48:26 EDT 2003
I've been diving into the LDAPv3 / Kerberos V world for a
week now and there is one question on this list from
10/18/2002 without an answer which is very interesting
How am I supposed to manage a large number of
machines with lots of application-specific accounts
where I would like to autorize users to services using a
Background: I have 80 physical users, 10 roles, >20
linux and solaris servers and about 12 application
users. The whole system is a high-available apache /
weblogic / oracle architecture.
The ideal solution from my point of view would be to
user expressions like */portaladmin@<MYREALM>
to authorize a group of trusted users to administrate
the java application servers.
The final list of kerberized applications should
include openssh, apache, cvs and some others
using LDAP backed by Kerberos.
Otherwise I would have to introduce 20x12x<n> entries
to .k5login or .k5users files.
What concept is usually used to manage separate
user groups in the Kerberos world?
More information about the Kerberos