kadm5.acl man page on OpenIndiana

Man page or keyword search:  
man Server   20441 pages
apropos Keyword Search (all sections)
Output format
OpenIndiana logo
[printable version]

kadm5.acl(4)			 File Formats			  kadm5.acl(4)

NAME
       kadm5.acl - Kerberos access control list (ACL) file

SYNOPSIS
       /etc/krb5/kadm5.acl

DESCRIPTION
       The  ACL	 file  is  used	 by the kadmind(1M) command to determine which
       principals are allowed to perform Kerberos administration actions.  For
       operations  that	 affect	 principals,  the ACL file also controls which
       principals can operate on which other principals. The location  of  the
       ACL  file  is  determined by the acl_file configuration variable in the
       kdc.conf(4) file. The default location is /etc/krb5/kadm5.acl.

       For incremental propagation, see kadmind(1M). The ACL file must contain
       the  kiprop  service principal with propagation privileges in order for
       the slave KDC to pull updates from  the	master's  principal  database.
       Refer to the EXAMPLES section for this case.

       The  ACL file can contain comment lines, null lines, or lines that con‐
       tain ACL entries. Comment lines start with the pound sign (#) and  con‐
       tinue until the end of the line.

       The order of entries is significant. The first matching entry specifies
       the principal on which the control access applies,  whether  it	is  on
       just  the  principal  or	 on the principal when it operates on a target
       principal.

       Lines containing ACL entries must have the following format:

	 principal operation-mask [operation-target]

       principal	   Specifies the principal on which the operation-mask
			   applies.  Can  specify  either a partially or fully
			   qualified Kerberos principal name.  Each  component
			   of  the  name  can  be substituted with a wildcard,
			   using the asterisk ( * ) character.

       operation-mask	   Specifies what operations can  or  cannot  be  per‐
			   formed  by a principal matching a particular entry.
			   Specify operation-mask as one or more privileges.

			   A privilege is a string of one or more of the  fol‐
			   lowing characters: a, A, c, C, d, D, i, I, l, L, m,
			   M, p, P, u, U, x, or *. Generally, if the character
			   is  lowercase,  the privilege is allowed and if the
			   character is uppercase,  the	 operation  is	disal‐
			   lowed. The x and * characters are exceptions to the
			   uppercase convention.

			   The following privileges are supported:

			   a	Allows the addition of principals or  policies
				in the database.

			   A	Disallows  the addition of principals or poli‐
				cies in the database.

			   c	Allows the changing of passwords  for  princi‐
				pals in the database.

			   C	Disallows  the changing of passwords for prin‐
				cipals in the database.

			   d	Allows the deletion of principals or  policies
				in the database.

			   D	Disallows  the deletion of principals or poli‐
				cies in the database.

			   i	Allows inquiries to the database.

			   I	Disallows inquiries to the database.

			   l	Allows the listing of principals  or  policies
				in the database.

			   L	Disallows  the	listing of principals or poli‐
				cies in the database.

			   m	Allows the modification of principals or poli‐
				cies in the database.

			   M	Disallows  the	modification  of principals or
				policies in the database.

			   p	Allow the propagation of the  principal	 data‐
				base.

			   P	Disallow  the  propagation  of	the  principal
				database.

			   u	Allows	the  creation  of  one-component  user
				principals  whose  password  can  be validated
				with PAM.

			   U	Negates the u privilege.

			   x	Short for specifying  privileges  a,  d,m,c,i,
				and l. The same as *.

			   *	Short  for  specifying	privileges a, d,m,c,i,
				and l. The same as x.

       operation-target	   Optional. When specified, the privileges  apply  to
			   the	principal  when	 it operates on the operation-
			   target. For the operation-target, you can specify a
			   partially  or  fully	 qualified  Kerberos principal
			   name. Each component of the name can be substituted
			   by a wildcard, using the asterisk ( * ) character.

EXAMPLES
       Example 1 Specifying a Standard, Fully Qualified Name

       The following ACL entry specifies a standard, fully qualified name:

	 user/instance@realm adm

       The  operation-mask  applies  only to the user/instance@realm principal
       and specifies that the principal can add, delete, or modify  principals
       and policies, but it cannot change passwords.

       Example 2 Specifying a Standard Fully Qualified Name and Target

       The following ACL entry specifies a standard, fully qualified name:

	 user/instance@realm cim service/instance@realm

       The  operation-mask  applies  only to the user/instance@realm principal
       operating on the service/instance@realm target, and specifies that  the
       principal  can  change the target's password, request information about
       the target, and modify it.

       Example 3 Specifying a Name Using a Wildcard

       The following ACL entry specifies a name using a wildcard:

	 user/*@realm ac

       The operation-mask applies to all principals in realm realm whose first
       component  is user and specifies that the principals can add principals
       and change passwords.

       Example 4 Specifying a Name Using a Wildcard and a Target

       The following ACL entry specifies a name using a wildcard and a target:

	 user/*@realm i */instance@realm

       The operation-mask applies to all principals in realm realm whose first
       component  is  user  and	 specifies  that  the  principals  can perform
       inquiries on principals whose second component is instance and realm is
       realm.

       Example 5 Specifying Incremental Propagation Privileges

       The following ACL entry specifies propagation privileges for the kiprop
       service principal:

	 kiprop/slavehost@realm p

       The operation-mask applies to the  kiprop  service  principal  for  the
       specified  slave host slavehost in realm realm. This specifies that the
       associated kiprop service principal can receive	incremental  principal
       updates.

FILES
       /etc/krb5/kdc.conf    KDC configuration information.

ATTRIBUTES
       See attributes(5) for descriptions of the following attributes:

       ┌─────────────────────────────┬─────────────────────────────┐
       │      ATTRIBUTE TYPE	     │	    ATTRIBUTE VALUE	   │
       ├─────────────────────────────┼─────────────────────────────┤
       │Availability		     │system/security/kerberos-5   │
       ├─────────────────────────────┼─────────────────────────────┤
       │Interface Stability	     │Committed			   │
       └─────────────────────────────┴─────────────────────────────┘

SEE ALSO
       kpasswd(1),  gkadmin(1M), kadmind(1M), kadmin.local(1M), kdb5_util(1M),
       kdc.conf(4), attributes(5), kerberos(5), pam_krb5_migrate(5)

SunOS 5.11			  26 Apr 2004			  kadm5.acl(4)
[top]

List of man pages available for OpenIndiana

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net