Administering the Kerberos Server

The admin_acl_file File

To grant the principal rabbit@FINANCE.BAMBI.COM the permission to add, list, and inquire about any principal in the database, add the following entry to admin_acl_file:

rabbit@FINANCE.BAMBI.COM ali

Adding Entries to admin_acl_file

You can add any principal name to admin_acl_file with or without administrative permissions.

To add a principal with assigned permissions, select the Principal Information window>Attribute tab in the HP Kerberos Administrator. For more information, see “Administrative Permissions” on page 189.

Consider the following guidelines before deciding on the principal names that you want to add to admin_acl_file:

A primary security server must contain only one admin_acl_file. This file contains all the realms supported by the primary security server.

Any principal name that you add to admin_acl_file must have adequate protection because only trusted administrative principals must be able to alter the principal account using the remote administration tool.

Principals in admin_acl_file that have assigned permissions can log on to the administrative tools and become administrative principals.

The r, R, or Rr modifiers, when used with the a or A permission, restrict the principal names that you can add to the database. For instance, principals assigned the IARiar permissions cannot add new principals that use the identifier/instance@REALM, which is already included in admin_acl_file. To take advantage of this restriction, consider the names you may want to add to admin_acl_file.

116

Chapter 8

Page 116
Image 116
HP UX Kerberos Data Security Software manual Adding Entries to adminaclfile