[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Authorizing a principal to use certain services

Diego González <dggonz@gmail.com> writes:

> is it possible to authorize a principal or set of principals to
> access a given service?

Not the way you want. Kerberos is an authentication system, that is it
provides information on who someone is, but not what that person may
or may not do. That is the job of an authorisation system. One simple
example of authorisation is the .k5login file used when logging in,
some filesystems, such as AFS, have more elaborate ways of doing this.

A common API for authorisation system would be welcome, but I don't
know of any.

> diego@LDH.ES can acess imap/ganimedes.ldh.es and
> smtp/ganimedes.ldh.es but not ldap/helios.ldh.es?

This is up to the applications to decide, in this case the ldap
daemon. I don't know if this is possible (without writing code).