[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Authorizing a principal to use certain services

To: Diego González <dggonz@gmail.com>
Subject: Re: Authorizing a principal to use certain services
From: Johan Danielsson <joda@pdc.kth.se>
Date: Mon, 30 Aug 2004 08:04:52 +0200
Cc: heimdal-discuss@sics.se
In-Reply-To: <8bd748e804082920202eaa4a66@mail.gmail.com> (DiegoGonzález's message of "Mon, 30 Aug 2004 05:20:14 +0200")
References: <8bd748e804082920202eaa4a66@mail.gmail.com>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/20.7 (berkeley-unix)

Diego González <dggonz@gmail.com> writes:

> is it possible to authorize a principal or set of principals to
> access a given service?

Not the way you want. Kerberos is an authentication system, that is it
provides information on who someone is, but not what that person may
or may not do. That is the job of an authorisation system. One simple
example of authorisation is the .k5login file used when logging in,
some filesystems, such as AFS, have more elaborate ways of doing this.

A common API for authorisation system would be welcome, but I don't
know of any.

> diego@LDH.ES can acess imap/ganimedes.ldh.es and
> smtp/ganimedes.ldh.es but not ldap/helios.ldh.es?

This is up to the applications to decide, in this case the ldap
daemon. I don't know if this is possible (without writing code).

/Johan

References:
- Authorizing a principal to use certain services
  - From: Diego González <dggonz@gmail.com>

Prev by Date: Authorizing a principal to use certain services
Next by Date: remove
Prev by thread: Authorizing a principal to use certain services
Next by thread: remove
Index(es):
- Date
- Thread