more complex kadm5.acl

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

more complex kadm5.acl

Michael Ströder
HI!

I've read through kadm5.acl(5):

http://web.mit.edu/kerberos/www/krb5-latest/doc/admin/conf_files/kadm5_acl.html

I'm investigating the possibility to auto-generate kadm5.acl based on access control
rules defined my LDAP directory (with rather complex entity relationships).

Are there more complex kadm5.acl examples out there leveraging more complex naming
schemes for principal instances and realms? Or even more detailed presentations/docs?

Ciao, Michael.


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: more complex kadm5.acl

Greg Hudson
On 07/22/2017 12:55 PM, Michael Ströder wrote:
> Are there more complex kadm5.acl examples out there leveraging more complex naming
> schemes for principal instances and realms? Or even more detailed presentations/docs?

You could look at the ACL file written by the automated test script:

https://github.com/krb5/krb5/blob/master/src/tests/t_kadmin_acl.py#L48

The source code for parsing the ACL file also isn't large.  We recently
refactored it without changing its behavior much, so you can look at the
old or new versions:

https://github.com/krb5/krb5/blob/krb5-1.15/src/lib/kadm5/srv/server_acl.c
https://github.com/krb5/krb5/blob/master/src/kadmin/server/auth_acl.c

We are also working on a pluggable interface for kadmin authorization,
targeted for 1.16:

https://k5wiki.kerberos.org/wiki/Projects/kadmin_access_interface
https://github.com/krb5/krb5/pull/675
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: more complex kadm5.acl

Michael Ströder
Greg Hudson wrote:
> On 07/22/2017 12:55 PM, Michael Ströder wrote:
> We are also working on a pluggable interface for kadmin authorization,
> targeted for 1.16:
>
> https://k5wiki.kerberos.org/wiki/Projects/kadmin_access_interface
> https://github.com/krb5/krb5/pull/675

Nice to hear that. It would be great to have a kadmin authorization plugin which asks an
external demon (e.g. over Unix domain socket) for the authorization information. So one
would not have to write C plugins.

Ciao, Michael.


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos

smime.p7s (5K) Download Attachment
Loading...