Unix/Linux Go Back    


OpenSolaris 2009.06 - man page for kadm5.acl (opensolaris section 4)

Linux & Unix Commands - Search Man Pages
Man Page or Keyword Search:   man
Select Man Page Set:       apropos Keyword Search (sections above)


kadm5.acl(4)				   File Formats 			     kadm5.acl(4)

NAME
       kadm5.acl - Kerberos access control list (ACL) file

SYNOPSIS
       /etc/krb5/kadm5.acl

DESCRIPTION
       The  ACL file is used by the kadmind(1M) command to determine which principals are allowed
       to perform Kerberos administration actions. For operations that affect principals, the ACL
       file also controls which principals can operate on which other principals. The location of
       the ACL file is determined by the acl_file configuration variable in the kdc.conf(4) file.
       The default location is /etc/krb5/kadm5.acl.

       For incremental propagation, see kadmind(1M). The ACL file must contain the kiprop service
       principal with propagation privileges in order for the slave KDC to pull updates from  the
       master's principal database. Refer to the EXAMPLES section for this case.

       The  ACL  file  can  contain comment lines, null lines, or lines that contain ACL entries.
       Comment lines start with the pound sign (#) and continue until the end of the line.

       The order of entries is significant. The first matching entry specifies the  principal  on
       which  the control access applies, whether it is on just the principal or on the principal
       when it operates on a target principal.

       Lines containing ACL entries must have the following format:

	 principal operation-mask [operation-target]

       principal	   Specifies the principal on which the operation-mask applies. Can spec-
			   ify	either	a  partially  or fully qualified Kerberos principal name.
			   Each component of the name can be substituted with a  wildcard,  using
			   the asterisk ( * ) character.

       operation-mask	   Specifies  what  operations	can or cannot be performed by a principal
			   matching a particular entry. Specify operation-mask	as  one  or  more
			   privileges.

			   A privilege is a string of one or more of the following characters: a,
			   A, c, C, d, D, i, I, l, L, m, M, p, P, u, U, x, or  *.  Generally,  if
			   the	character is lowercase, the privilege is allowed and if the char-
			   acter is uppercase, the operation is disallowed. The x and  *  charac-
			   ters are exceptions to the uppercase convention.

			   The following privileges are supported:

			   a	Allows the addition of principals or policies in the database.

			   A	Disallows the addition of principals or policies in the database.

			   c	Allows the changing of passwords for principals in the database.

			   C	Disallows  the	changing of passwords for principals in the data-
				base.

			   d	Allows the deletion of principals or policies in the database.

			   D	Disallows the deletion of principals or policies in the database.

			   i	Allows inquiries to the database.

			   I	Disallows inquiries to the database.

			   l	Allows the listing of principals or policies in the database.

			   L	Disallows the listing of principals or policies in the database.

			   m	Allows the modification of principals or policies  in  the  data-
				base.

			   M	Disallows the modification of principals or policies in the data-
				base.

			   p	Allow the propagation of the principal database.

			   P	Disallow the propagation of the principal database.

			   u	Allows the creation of one-component user principals whose  pass-
				word can be validated with PAM.

			   U	Negates the u privilege.

			   x	Short for specifying privileges a, d,m,c,i, and l. The same as *.

			   *	Short for specifying privileges a, d,m,c,i, and l. The same as x.

       operation-target    Optional.  When  specified, the privileges apply to the principal when
			   it operates on the operation-target. For the operation-target, you can
			   specify  a  partially or fully qualified Kerberos principal name. Each
			   component of the name can be substituted  by  a  wildcard,  using  the
			   asterisk ( * ) character.

EXAMPLES
       Example 1 Specifying a Standard, Fully Qualified Name

       The following ACL entry specifies a standard, fully qualified name:

	 user/instance@realm adm

       The  operation-mask  applies  only to the user/instance@realm principal and specifies that
       the principal can add, delete, or modify principals and policies,  but  it  cannot  change
       passwords.

       Example 2 Specifying a Standard Fully Qualified Name and Target

       The following ACL entry specifies a standard, fully qualified name:

	 user/instance@realm cim service/instance@realm

       The operation-mask applies only to the user/instance@realm principal operating on the ser-
       vice/instance@realm target, and specifies that the principal can change the target's pass-
       word, request information about the target, and modify it.

       Example 3 Specifying a Name Using a Wildcard

       The following ACL entry specifies a name using a wildcard:

	 user/*@realm ac

       The  operation-mask applies to all principals in realm realm whose first component is user
       and specifies that the principals can add principals and change passwords.

       Example 4 Specifying a Name Using a Wildcard and a Target

       The following ACL entry specifies a name using a wildcard and a target:

	 user/*@realm i */instance@realm

       The operation-mask applies to all principals in realm realm whose first component is  user
       and  specifies that the principals can perform inquiries on principals whose second compo-
       nent is instance and realm is realm.

       Example 5 Specifying Incremental Propagation Privileges

       The following ACL entry specifies propagation privileges for the kiprop service principal:

	 kiprop/slavehost@realm p

       The operation-mask applies to the kiprop service principal for the  specified  slave  host
       slavehost  in realm realm. This specifies that the associated kiprop service principal can
       receive incremental principal updates.

FILES
       /etc/krb5/kdc.conf    KDC configuration information.

ATTRIBUTES
       See attributes(5) for descriptions of the following attributes:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE TYPE	     |	    ATTRIBUTE VALUE	   |
       +-----------------------------+-----------------------------+
       |Availability		     |SUNWkdcu			   |
       +-----------------------------+-----------------------------+
       |Interface Stability	     |Evolving			   |
       +-----------------------------+-----------------------------+

SEE ALSO
       kpasswd(1),  gkadmin(1M),  kadmind(1M),	kadmin.local(1M),   kdb5_util(1M),   kdc.conf(4),
       attributes(5), kerberos(5), pam_krb5_migrate(5)

SunOS 5.11				   26 Apr 2004				     kadm5.acl(4)
Unix & Linux Commands & Man Pages : ©2000 - 2018 Unix and Linux Forums


All times are GMT -4. The time now is 07:50 AM.