back-referenced wildcards in kadm5.acl

John Devitofranceschi jdvf at optonline.net
Sat Mar 7 15:17:04 EST 2015


> On Jul 17, 2014, at 7:45 PM, Kenneth MacDonald <Kenneth.MacDonald at ed.ac.uk> wrote:
> 
> Quoting John Devitofranceschi <jdvf at optonline.net> on Thu, 17 Jul 2014  
> 15:51:06 -0400:
> 
>> 
>>> On Jul 17, 2014, at 12:37, Greg Hudson <ghudson at MIT.EDU> wrote:
>>> 
>>>> On 07/16/2014 06:34 PM, John Devitofranceschi wrote:
>>>> host/*@MYREALM.COM x */*1 at MYREALM.COM
>>> 
>>> This works for me in 1.11, 1.12, and the master branch.  So, your
>>> expectation isn't unreasonable, but I'm not sure why it doesn't work for
>>> you.
>>> 
>>> Note that kadmind will not reread its ACL file until it is restarted.
>> 
>> I can get it to work with other wild card use cases, like:
>> 
>> *@MYREALM.COM cli   *1/admin at MYREALM.COM
>> 
>> Just not the example I gave originally.
> 
> This is because the wildcard matching only operates on whole  
> components, not substrings of them.  There are various patches  
> floating around that extend this to regular expressions or substrings.  
>  I have one, but I'm on holiday at the moment.  I'll try to remember  
> to follow up when I get back.

I just started looking into this again, this time with 1.13.1 and my results are the same as when I tried last year.  

Any patches or advice welcome!

jd
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2446 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20150307/d423fbf0/attachment.bin


More information about the Kerberos mailing list