[19055] in Kerberos
Re: Manageability of larger networks
daemon@ATHENA.MIT.EDU (Turbo Fredriksson)
Sun Apr 13 08:16:43 2003
To: kerberos@mit.edu
From: Turbo Fredriksson <turbo@bayour.com>
Date: 13 Apr 2003 14:15:15 +0200
In-Reply-To: <3E994E8A.9000405@jamba.net>
Message-ID: <87n0iuiofg.fsf@papadoc.bayour.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Errors-To: kerberos-bounces@mit.edu
Quoting Andreas Heilwwagen <andreas.heilwagen@jamba.net>:
> The ideal solution from my point of view would be to
> user expressions like */portaladmin@<MYREALM>
> to authorize a group of trusted users to administrate
> the java application servers.
It's been discussed before. Kerberos is a AUTHENTICATION
system, not a AURHORIZATION system. For authorization,
use LDAP (my personal favorite).
> What concept is usually used to manage separate
> user groups in the Kerberos world?
You don't. You have principals. (dot, end, no more, ende
etc).
For saying 'user/application x have access to y', use
LDAP.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
