The OpenNET Project / Index page

[ новости /+++ | форум | теги | ]

Интерактивная система просмотра системных руководств (man-ов)

 ТемаНаборКатегория 
 
 [Cписок руководств | Печать]

kadm5.acl (4)
  • >> kadm5.acl (4) ( Solaris man: Специальные файлы /dev/* )
  •  

    NAME

    kadm5.acl - Kerberos access control list (ACL) file 
     
    

    SYNOPSIS

    /etc/krb5/kadm5.acl
    

     

    DESCRIPTION

    The ACL file is used by the kadmind(1M) command to determine which principals are allowed to perform Kerberos administration actions. For operations that affect principals, the ACL file also controls which principals can operate on which other principals. The location of the ACL file is determined by the acl_file configuration variable in the kdc.conf(4) file. The default location is /etc/krb5/kadm5.acl.

    For incremental propagation, see kadmind(1M). The ACL file must contain the kiprop service principal with propagation privileges in order for the slave KDC to pull updates from the master's principal database. Refer to the EXAMPLES section for this case.

    The ACL file can contain comment lines, null lines, or lines that contain ACL entries. Comment lines start with the pound sign (#) and continue until the end of the line.

    The order of entries is significant. The first matching entry specifies the principal on which the control access applies, whether it is on just the principal or on the principal when it operates on a target principal.

    Lines containing ACL entries must have the following format:

    principal operation-mask [operation-target]
    

    principal

    Specifies the principal on which the operation-mask applies. Can specify either a partially or fully qualified Kerberos principal name. Each component of the name can be substituted with a wildcard, using the asterisk ( * ) character.

    operation-mask

    Specifies what operations can or cannot be performed by a principal matching a particular entry. Specify operation-mask as one or more privileges.

    A privilege is a string of one or more of the following characters: a, A, c, C, d, D, i, I, l, L, m, M, p, P, u, U, x, or *. Generally, if the character is lowercase, the privilege is allowed and if the character is uppercase, the operation is disallowed. The x and * characters are exceptions to the uppercase convention.

    The following privileges are supported:

    a

    Allows the addition of principals or policies in the database.

    A

    Disallows the addition of principals or policies in the database.

    c

    Allows the changing of passwords for principals in the database.

    C

    Disallows the changing of passwords for principals in the database.

    d

    Allows the deletion of principals or policies in the database.

    D

    Disallows the deletion of principals or policies in the database.

    i

    Allows inquiries to the database.

    I

    Disallows inquiries to the database.

    l

    Allows the listing of principals or policies in the database.

    L

    Disallows the listing of principals or policies in the database.

    m

    Allows the modification of principals or policies in the database.

    M

    Disallows the modification of principals or policies in the database.

    p

    Allow the propagation of the principal database.

    P

    Disallow the propagation of the principal database.

    u

    Allows the creation of one-component user principals whose password can be validated with PAM.

    U

    Negates the u privilege.

    x

    Short for specifying privileges a, d,m,c,i, and l. The same as *.

    *

    Short for specifying privileges a, d,m,c,i, and l. The same as x.

    operation-target

    Optional. When specified, the privileges apply to the principal when it operates on the operation-target. For the operation-target, you can specify a partially or fully qualified Kerberos principal name. Each component of the name can be substituted by a wildcard, using the asterisk ( * ) character.

     

    EXAMPLES

    Example 1 Specifying a Standard, Fully Qualified Name

    The following ACL entry specifies a standard, fully qualified name:

    user/instance@realm adm 
    

    The operation-mask applies only to the user/instance@realm principal and specifies that the principal can add, delete, or modify principals and policies, but it cannot change passwords.

    Example 2 Specifying a Standard Fully Qualified Name and Target

    The following ACL entry specifies a standard, fully qualified name:

    user/instance@realm cim service/instance@realm 
    

    The operation-mask applies only to the user/instance@realm principal operating on the service/instance@realm target, and specifies that the principal can change the target's password, request information about the target, and modify it.

    Example 3 Specifying a Name Using a Wildcard

    The following ACL entry specifies a name using a wildcard:

    user/*@realm ac 
    

    The operation-mask applies to all principals in realm realm whose first component is user and specifies that the principals can add principals and change passwords.

    Example 4 Specifying a Name Using a Wildcard and a Target

    The following ACL entry specifies a name using a wildcard and a target:

    user/*@realm i */instance@realm
    

    The operation-mask applies to all principals in realm realm whose first component is user and specifies that the principals can perform inquiries on principals whose second component is instance and realm is realm.

    Example 5 Specifying Incremental Propagation Privileges

    The following ACL entry specifies propagation privileges for the kiprop service principal:

    kiprop/slavehost@realm p
    

    The operation-mask applies to the kiprop service principal for the specified slave host slavehost in realm realm. This specifies that the associated kiprop service principal can receive incremental principal updates.

     

    FILES

    /etc/krb5/kdc.conf

    KDC configuration information.

     

    ATTRIBUTES

    See attributes(5) for descriptions of the following attributes:

    ATTRIBUTE TYPEATTRIBUTE VALUE

    AvailabilitySUNWkdcu

    Interface Stability

     

    SEE ALSO

    kpasswd(1), gkadmin(1M), kadmind(1M), kadmin.local(1M), kdb5_util(1M), kdc.conf(4), attributes(5), kerberos(5), pam_krb5_migrate(5)


     

    Index

    NAME
    SYNOPSIS
    DESCRIPTION
    EXAMPLES
    FILES
    ATTRIBUTES
    SEE ALSO


    Поиск по тексту MAN-ов: 




    Партнёры:
    PostgresPro
    Inferno Solutions
    Hosting by Hoster.ru
    Хостинг:

    Закладки на сайте
    Проследить за страницей
    Created 1996-2024 by Maxim Chirkov
    Добавить, Поддержать, Вебмастеру