[19054] in Kerberos
Manageability of larger networks
daemon@ATHENA.MIT.EDU (Andreas Heilwwagen)
Sun Apr 13 06:49:18 2003
Message-ID: <3E994E8A.9000405@jamba.net>
Date: Sun, 13 Apr 2003 12:48:26 +0100
From: Andreas Heilwwagen <andreas.heilwagen@jamba.net>
MIME-Version: 1.0
To: kerberos@mit.edu
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Reply-To: andreas.heilwagen@acm.org
Errors-To: kerberos-bounces@mit.edu
Hello,
I've been diving into the LDAPv3 / Kerberos V world for a
week now and there is one question on this list from
10/18/2002 without an answer which is very interesting
to me:
How am I supposed to manage a large number of
machines with lots of application-specific accounts
where I would like to autorize users to services using a
group/role concept.
Background: I have 80 physical users, 10 roles, >20
linux and solaris servers and about 12 application
users. The whole system is a high-available apache /
weblogic / oracle architecture.
The ideal solution from my point of view would be to
user expressions like */portaladmin@<MYREALM>
to authorize a group of trusted users to administrate
the java application servers.
The final list of kerberized applications should
include openssh, apache, cvs and some others
using LDAP backed by Kerberos.
Otherwise I would have to introduce 20x12x<n> entries
to .k5login or .k5users files.
What concept is usually used to manage separate
user groups in the Kerberos world?
Looking forward,
Andreas
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
