slightly expanded wildcard support for kadm5.acl

Mike Dopheide dopheide at ncsa.uiuc.edu
Fri Mar 30 16:27:12 EDT 2007


Attached is a patch to add wildcard support at the beginning and end of 
kadm5.acl components.  I'd love to see this or something like it get 
added to the standard codebase.  We haven't used this in the field yet, 
I wanted to get people's opinions first.  I may not have considered all 
of the implications (please let me know if I'm missing something bad).

We've run into a couple situations here where it would be really handy 
to have this.

Example 1:
Temporary guest accounts on a system that doesn't support instances. 
This resulted in something similar to guest[001-100] prinicpals and a 
hundred kadm5.acl entries so the event coordinator could reset 
passwords.  This is much more concise:

guest/admin at REALM.COM	cmi	guest*@REALM.COM


Example 2:
Multiple site admins using a central Kerberos realm.  In this case you 
can give each site admin control to create/edit host keys in their own 
subdomain.

site1/admin at REALM.COM   *	host/*.site1.realm.com at REALM.COM
site2/admin at REALM.COM   *	host/*.site2.realm.com at REALM.COM


-Mike

PS.  During my testing I noticed that kadmind segfaults if you forget to 
add the ACL permissions to a line in kadm5.acl.  :)
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: kadm5_acl.patch
Url: http://mailman.mit.edu/pipermail/kerberos/attachments/20070330/49d08706/attachment.bat


More information about the Kerberos mailing list