slightly expanded wildcard support for kadm5.acl
Mike Dopheide
dopheide at ncsa.uiuc.edu
Fri Mar 30 16:27:12 EDT 2007
Attached is a patch to add wildcard support at the beginning and end of
kadm5.acl components. I'd love to see this or something like it get
added to the standard codebase. We haven't used this in the field yet,
I wanted to get people's opinions first. I may not have considered all
of the implications (please let me know if I'm missing something bad).
We've run into a couple situations here where it would be really handy
to have this.
Example 1:
Temporary guest accounts on a system that doesn't support instances.
This resulted in something similar to guest[001-100] prinicpals and a
hundred kadm5.acl entries so the event coordinator could reset
passwords. This is much more concise:
guest/admin at REALM.COM cmi guest*@REALM.COM
Example 2:
Multiple site admins using a central Kerberos realm. In this case you
can give each site admin control to create/edit host keys in their own
subdomain.
site1/admin at REALM.COM * host/*.site1.realm.com at REALM.COM
site2/admin at REALM.COM * host/*.site2.realm.com at REALM.COM
-Mike
PS. During my testing I noticed that kadmind segfaults if you forget to
add the ACL permissions to a line in kadm5.acl. :)
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: kadm5_acl.patch
Url: http://mailman.mit.edu/pipermail/kerberos/attachments/20070330/49d08706/attachment.bat
More information about the Kerberos
mailing list