wildcards in kadm5.acl
dopheide at ncsa.uiuc.edu
Mon Dec 18 14:42:30 EST 2006
Assuming I'm reading the man pages and code correctly, a kadm5.acl entry
such as this won't work:
foo/admin at REALM.COM cmi foo*@REALM.COM
kadm5int_acl_match_data() even specifically mentions that wildcards are
only supported for a whole component. In my specific case, using a
*/foo instance won't work. I'm perfectly fine modifying my own local
code, however, is there some security implication of allowing wildcards
in the principal name that I'm not considering?
The only thing I can think of is the lack of wildcards helps avoid
unpredictable situations. For instance, if I'm hoping to match
foo01-foo50 and we hire Foo Jones someday who gets a 'foojones' principal.
More information about the krbdev