Manageability of larger networks
Turbo Fredriksson
turbo at bayour.com
Sun Apr 13 08:15:15 EDT 2003
Quoting Andreas Heilwwagen <andreas.heilwagen at jamba.net>:
> The ideal solution from my point of view would be to
> user expressions like */portaladmin@<MYREALM>
> to authorize a group of trusted users to administrate
> the java application servers.
It's been discussed before. Kerberos is a AUTHENTICATION
system, not a AURHORIZATION system. For authorization,
use LDAP (my personal favorite).
> What concept is usually used to manage separate
> user groups in the Kerberos world?
You don't. You have principals. (dot, end, no more, ende
etc).
For saying 'user/application x have access to y', use
LDAP.
More information about the Kerberos
mailing list