more complex kadm5.acl

Greg Hudson ghudson at mit.edu
Sun Jul 23 22:40:47 EDT 2017


On 07/22/2017 12:55 PM, Michael Ströder wrote:
> Are there more complex kadm5.acl examples out there leveraging more complex naming
> schemes for principal instances and realms? Or even more detailed presentations/docs?

You could look at the ACL file written by the automated test script:

https://github.com/krb5/krb5/blob/master/src/tests/t_kadmin_acl.py#L48

The source code for parsing the ACL file also isn't large.  We recently
refactored it without changing its behavior much, so you can look at the
old or new versions:

https://github.com/krb5/krb5/blob/krb5-1.15/src/lib/kadm5/srv/server_acl.c
https://github.com/krb5/krb5/blob/master/src/kadmin/server/auth_acl.c

We are also working on a pluggable interface for kadmin authorization,
targeted for 1.16:

https://k5wiki.kerberos.org/wiki/Projects/kadmin_access_interface
https://github.com/krb5/krb5/pull/675


More information about the Kerberos mailing list