wallet acls per glob

Russ Allbery rra at stanford.edu
Thu Oct 4 17:49:34 EDT 2012

Ross Smith <rjsm at umich.edu> writes:

> We would like to restrict certain acls to only reload certain hosts.  I
> have a local patch to allow ldap-group acls.  An example of what I'd
> like to setup is have members of the group foo-reloaders only be able to
> autocreate acls for hosts with fqdn matching ^bar*.engin.umich.edu.  Is
> there an easy way to do this with wallet as is? or how much work would
> it be to implement something like this?

The intent is for you to be able to do that with the default_owner
callback in the wallet configuration file.  Something basically like this:

    sub default_owner {
        my ($type, $name) = @_;
        if ($type eq 'keytab' and $name =~ /^bar.*\.engin\.umich\.edu/) {
            # or whatever the syntax for your ldap-group ACL scheme is
            return ('foo-reloaders', [ 'ldap-group', 'foo-reloaders' ]);
        } else {

For more information see the DEFAULT OWNERS section of Wallet::Config.

Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

More information about the Kerberos mailing list