unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (SunOS-5.10)
Page:
Section:
Apropos / Subsearch:
optional field

kadm5.acl(4)                     File Formats                     kadm5.acl(4)



NAME
       kadm5.acl - Kerberos access control list (ACL) file

SYNOPSIS
       /etc/krb5/kadm5.acl

DESCRIPTION
       The  ACL  file  is  used  by the kadmind(1M) command to determine which
       principals are allowed to perform Kerberos administration actions.  For
       operations  that  affect  principals,  the ACL file also controls which
       principals can operate on which other principals. The location  of  the
       ACL  file  is  determined by the acl_file configuration variable in the
       kdc.conf(4) file. The default location is /etc/krb5/kadm5.acl.

       For incremental propagation, see kadmind(1M). The ACL file must contain
       the  kiprop  service principal with propagation privileges in order for
       the slave KDC to pull updates from  the  master's  principal  database.
       Refer to the EXAMPLES section for this case.

       The  ACL file can contain comment lines, null lines, or lines that con-
       tain ACL entries. Comment lines start with the pound sign (#) and  con-
       tinue until the end of the line.

       The order of entries is significant. The first matching entry specifies
       the principal on which the control access applies,  whether  it  is  on
       just  the  principal  or  on the principal when it operates on a target
       principal.

       Lines containing ACL entries must have the following format:

       principal operation-mask [operation-target]

       principal

           Specifies the principal on which the  operation-mask  applies.  Can
           specify  either  a  partially or fully qualified Kerberos principal
           name. Each component of the name can be substituted  with  a  wild-
           card, using the asterisk ( * ) character.



       operation-mask

           Specifies what operations can or cannot be performed by a principal
           matching a particular entry. Specify operation-mask as one or  more
           privileges.

           A privilege is a string of one or more of the following characters:
           a, A, c, C, d, D, i, I, l, L, m, M, p, P, u, U, x, or *. Generally,
           if  the character is lowercase, the privilege is allowed and if the
           character is uppercase, the operation is disallowed. The  x  and  *
           characters are exceptions to the uppercase convention.

           The following privileges are supported:

           a        Allows the addition of principals or policies in the data-
                    base.




           A        Disallows the addition of principals or  policies  in  the
                    database.



           c        Allows  the  changing  of  passwords for principals in the
                    database.



           C        Disallows the changing of passwords for principals in  the
                    database.



           d        Allows the deletion of principals or policies in the data-
                    base.



           D        Disallows the deletion of principals or  policies  in  the
                    database.



           i        Allows inquiries to the database.



           I        Disallows inquiries to the database.



           l        Allows  the listing of principals or policies in the data-
                    base.



           L        Disallows the listing of principals  or  policies  in  the
                    database.



           m        Allows  the  modification of principals or policies in the
                    database.



           M        Disallows the modification of principals  or  policies  in
                    the database.



           p        Allow the propagation of the principal database.



           P        Disallow the propagation of the principal database.



           u        Allows the creation of one-component user principals whose
                    password can be validated with PAM.



           U        Negates the u privilege.



           x        Short for specifying privileges a,  d,m,c,i,  and  l.  The
                    same as *.



           *        Short  for  specifying  privileges  a, d,m,c,i, and l. The
                    same as x.




       operation-target

           Optional. When specified, the privileges  apply  to  the  principal
           when it operates on the operation-target. For the operation-target,
           you can specify a partially or fully qualified  Kerberos  principal
           name.  Each component of the name can be substituted by a wildcard,
           using the asterisk ( * ) character.



EXAMPLES
       Example 1: Specifying a Standard, Fully Qualified Name

       The following ACL entry specifies a standard, fully qualified name:

       user/instance@realm adm

       The operation-mask applies only to  the  user/instance@realm  principal
       and  specifies that the principal can add, delete, or modify principals
       and policies, but it cannot change passwords.

       Example 2: Specifying a Standard Fully Qualified Name and Target

       The following ACL entry specifies a standard, fully qualified name:

       user/instance@realm cim service/instance@realm

       The operation-mask applies only to  the  user/instance@realm  principal
       operating  on the service/instance@realm target, and specifies that the
       principal can change the target's password, request  information  about
       the target, and modify it.

       Example 3: Specifying a Name Using a Wildcard

       The following ACL entry specifies a name using a wildcard:

       user/*@realm ac

       The operation-mask applies to all principals in realm realm whose first
       component is user and specifies that the principals can add  principals
       and change passwords.

       Example 4: Specifying a Name Using a Wildcard and a Target

       The following ACL entry specifies a name using a wildcard and a target:

       user/*@realm i */instance@realm

       The operation-mask applies to all principals in realm realm whose first
       component is  user  and  specifies  that  the  principals  can  perform
       inquiries on principals whose second component is instance and realm is
       realm.

       Example 5: Specifying Incremental Propagation Privileges

       The following ACL entry specifies propagation privileges for the kiprop
       service principal:

       kiprop/slavehost@realm p


       The  operation-mask  applies  to  the  kiprop service principal for the
       specified slave host slavehost in realm realm. This specifies that  the
       associated  kiprop  service principal can receive incremental principal
       updates.

FILES
       /etc/krb5/kdc.conf

           KDC configuration information.



ATTRIBUTES
       See attributes(5) for descriptions of the following attributes:


       tab()    allbox;    cw(2.750000i)|     cw(2.750000i)     lw(2.750000i)|
       lw(2.750000i).    ATTRIBUTE  TYPEATTRIBUTE  VALUE  AvailabilitySUNWkdcu
       Interface StabilityEvolving


SEE ALSO
       kpasswd(1), gkadmin(1M), kadmind(1M), kadmin.local(1M),  kdb5_util(1M),
       kdc.conf(4), attributes(5), pam_krb5_migrate(5), SEAM(5)



SunOS 5.10                        26 Apr 2004                     kadm5.acl(4)