wildcards in kadm5.acl

Mike Dopheide dopheide at ncsa.uiuc.edu
Mon Dec 18 14:42:30 EST 2006

Assuming I'm reading the man pages and code correctly, a kadm5.acl entry 
such as this won't work:

foo/admin at REALM.COM	cmi	foo*@REALM.COM

kadm5int_acl_match_data() even specifically mentions that wildcards are 
only supported for a whole component.  In my specific case, using a 
*/foo instance won't work.  I'm perfectly fine modifying my own local 
code, however, is there some security implication of allowing wildcards 
in the principal name that I'm not considering?

The only thing I can think of is the lack of wildcards helps avoid 
unpredictable situations.  For instance, if I'm hoping to match 
foo01-foo50 and we hire Foo Jones someday who gets a 'foojones' principal.


More information about the krbdev mailing list