MIT KDC & multiple admins for subsets of principals

Matthew J. Smith matt.smith at
Thu Mar 2 08:58:16 EST 2006

  We have roughly 70,000 principals in our KDC (MIT 1.4), including
~8,000 employees.  These employees belong to multiple
departments/schools across the University.  We are looking to give
access to the appropriate admins from certain departments to change the
password for their subset of users.  This may mean that one admin should
be able to change passwords for 30 principals, another for 400
principals, etc, while our central IT should continue to be able to
change all 70,000.

  The central case is easy, of course, using admin principals and ACLs
of the form "*/admin at REALM *".

  There seem to be two approaches to give out access the way we want:
1)  A custom application (web) using an "all access" */admin principal
to talk to the KDC.  The app controls individual access internally
(perhaps using LDAP).

2)  Generate a rather complex ACL file as part of our regular user
provisioning, explicitly listing each admin principal and all the
principals it has access to.

  I prefer keeping access control as close to the KDC as possible (#2),
but would having such a large ACL file cause a performance hit (or other
negative impact ?) ?

Any feedback is appreciated - thank you,

More information about the Kerberos mailing list