Manageability of larger networks

Turbo Fredriksson turbo at
Sun Apr 13 08:15:15 EDT 2003

Quoting Andreas Heilwwagen <andreas.heilwagen at>:

> The ideal solution from my point of view would be to
> user expressions like */portaladmin@<MYREALM>
> to authorize a group of trusted users to administrate
> the java application servers.

It's been discussed before. Kerberos is a AUTHENTICATION
system, not a AURHORIZATION system. For authorization,
use LDAP (my personal favorite).

> What concept is usually used to manage separate
> user groups in the Kerberos world?

You don't. You have principals. (dot, end, no more, ende

For saying 'user/application x have access to y', use

More information about the Kerberos mailing list