Simple ACL wildcard patch

Kenneth MacDonald Kenneth.MacDonald at ed.ac.uk
Fri Aug 29 05:54:42 EDT 2014


There have been several requests and patches proposed to add support for
some kind of extended wildcard matching in ACLs for kadmind.

I have deployed this simple patch (attached) that checks for an asterisk
at the beginning of the target, but followed by a non-digit.  It then
matches on the rest of the target.

Hence this ACL ...

*/dept.admin at TEST.REALM * */*.dept.test.realm at TEST.REALM

... allows all admin principals from Dept "dept" to manage instance
principals for hosts in their DNS domain in our central realm.  This has
freed us up from manually creating thousands of principals on behalf of
departments, or writing a complex devolved web front end.

Is this patch small and simple enough to form the basis of a change to
the core code?  If so, I'll happily patch up the documentation and
prepare it against trunk.

Cheers,

Kenny.

-- 
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: krb5-1.11.3-wildcard_target.patch
Type: text/x-patch
Size: 889 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20140829/14f66357/attachment.bin


More information about the Kerberos mailing list