Administering the Kerberos Server

The admin_acl_file File

Permissions designated with a lowercase letter apply only to those realms to which the administrative principal belongs. Permissions designated with an uppercase letter apply to all realms. [permissions] is an optional string containing one or more options listed in Table 8-2.

The restricted administrator setting is a modifier that you must use in conjunction with permissions. You must consider the following guidelines before using the r, R and Rr modifiers:

The order of the permission letters is irrelevant.

The e, E, g and G switches are not affected by the r and R permissions.

The * (asterisk) symbol overrides the r and R switches

For more information, see “Using Restricted Administrator” on page 117.

The principal can also include the asterisk (*) wildcard because admin_acl_file supports the following identifier/instance wildcards:

*/instance

identifier/*

This format makes it easier to add groups of principal names to the file. Therefore, if you want any principal with the instance admin to have permissions to administer the database, you can use the principal */admin@REALM, where REALM is your realm of the primary security server.

For example, to grant all principals with the admin instance that need to have all the permissions assigned to them, add the following entry to admin_acl_file:

*/admin@FINANCE.BAMBI.COM *

where:

 

*

Denotes all prinicpals

admin

Specifies instance

FINANCE.BAMBI.COM Denotes the realm name

*

Denotes permissions

Chapter 8

115

Page 115
Image 115
HP UX Kerberos Data Security Software manual