Top Document: Kerberos FAQ, v2.0 (last modified 8/18/2000) Previous Document: 2.24. Can I have multiple realms on a single KDC? Next Document: 3. User and application questions See reader questions & answers on this topic! - Help others by sharing your knowledge From: Dan E. Anderson <anderson@computer.org> The kadm5.acl (access control list) file resides on the KDC host and controls access to the Kerberos database. The location of the kadm5.acl is specified in the kdc.conf file for each realm under the [realms] stanza: [realms] FOOBAR.ORG = { acl_file = /var/krb5kdc/kadm5.acl } The ACL format is documented in the "Kerberos V5 Installation Guide". It contains the principal names (including "*" as wildcards) and the access permissions ("*" for everything) followed by an optional principal the ACL applies (if omitted, it applies to all principals). For example: */admin@FOOBAR.ORG * Allows all admin principals all access (add, delete, modification of principals). The following just allows adding, listing, and inquire of principals for principal fred/admin: fred/admin@FOOBAR.ORG ali Of course, Fred must use the fred/admin principal to access the Kerberos database (with kadmin). User Contributions:Top Document: Kerberos FAQ, v2.0 (last modified 8/18/2000) Previous Document: 2.24. Can I have multiple realms on a single KDC? Next Document: 3. User and application questions Single Page [ Usenet FAQs | Web FAQs | Documents | RFC Index ] Send corrections/additions to the FAQ Maintainer: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Last Update March 27 2014 @ 02:11 PM
|
Comment about this article, ask questions, or add new information about this topic: