[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: kadmin ACL question

"Henry B. Hotz" <hotz@jpl.nasa.gov> writes:

> In AFS a user can do a a kas examine to look at his own principal. In
> particular he can see what his password expiration time is.
> It would appear that the equivalent Kerberos 5 command is kadmin
> get. Is there an ACL entry that would match all principals with null
> instances (ordinary users) and allow them to do a get operation, but
> only on themselves, not anyone else?

The only implicit right a user have is the ability to change its own
password (but with the password quality check). All other rights must be
given to the user.

Many people seems to have diffrent ideas what policies should look like, I
don't know how to please everyone execpt by calling out to external
program/shared object in _kadm5_acl_check_permission() and have that do the

> Is the answer to the above perchance different for MIT?

It doesn't look that way, but I might very well be wrong, I just tried to
decipher their rpc stubs.


PGP signature