kadm5.acl(4)

NAME

     kadm5.acl - Kerberos access control list (ACL) file

SYNOPSIS

     /etc/krb5/kadm5.acl

DESCRIPTION

     The ACL file is used by the kadmind(1M) command to determine
     which principals are allowed to perform Kerberos administra-
     tion actions.  For operations that  affect  principals,  the
     ACL file also controls which principals can operate on which
     other principals. The location of the ACL file is determined
     by  the  acl_file  configuration variable in the kdc.conf(4)
     file. The default location is /etc/krb5/kadm5.acl.

     The ACL file can contain comment lines, null lines, or lines
     that contain ACL entries. Comment lines start with the pound
     sign (#) and continue until the end of the line.

     The order of entries  is  significant.  The  first  matching
     entry  specifies  the  principal on which the control access
     applies, whether it is on just the principal or on the prin-
     cipal when it operates on a target principal.

     Lines containing ACL entries must have the following format:

     principal operation-mask [operation-target]

     principal
           Specifies the principal on  which  the  operation-mask
           applies. Can specify either a partially or fully qual-
           ified Kerberos principal name. Each component  of  the
           name  can  be  substituted  with a wildcard, using the
           asterisk ( * ) character.

     operation-mask
           Specifies what operations can or cannot  be  performed
           by  a  principal  matching a particular entry. Specify
           operation-mask as one or more privileges.

           A privilege is a string of one or more of the  follow-
           ing characters: a, A, c, C, d, D, i, I, l, L, m, M, x,
           or *. Generally, if the character  is  lowercase,  the
           privilege  is  allowed  and if the character is upper-
           case, the operation is disallowed. The x and * charac-
           ters are exceptions to the uppercase convention.

           The following privileges are supported:

           a     Allows the addition of principals or policies in
                 the database.

           A     Disallows the addition of principals or policies
                 in the database.

           c     Allows the changing of passwords for  principals
                 in the database.

           C     Disallows the changing of passwords for  princi-
                 pals in the database.

           d     Allows the deletion of principals or policies in
                 the database.

           D     Disallows the deletion of principals or policies
                 in the database.

           i     Allows inquiries to the database.

           I     Disallows inquiries to the database.

           l     Allows the listing of principals or policies  in
                 the database.

           L     Disallows the listing of principals or  policies
                 in the database.

           m     Allows the modification of principals  or  poli-
                 cies in the database.

           M     Disallows the modification of principals or pol-
                 icies in the database.

           x     Short for specifying privileges a, d,m,c,i,  and
                 l. The same as *.

           *     Short for specifying privileges a, d,m,c,i,  and
                 l. The same as x.

     operation-target
           Optional. When specified, the privileges apply to  the
           principal  when  it  operates on the operation-target.
           For the operation-target, you can specify a  partially
           or  fully qualified Kerberos principal name. Each com-
           ponent of the name can be substituted by  a  wildcard,
           using the asterisk ( * ) character.

EXAMPLES

     Example 1: Specifying a Standard, Fully Qualified Name

     The following ACL entry specifies a standard,  fully  quali-
     fied name:

     user/instance@realm adm

     The operation-mask applies only to  the  user/instance@realm
     principal  and specifies that the principal can add, delete,
     or modify principals and  policies,  but  it  cannot  change
     passwords.

     Example 2: Specifying a Standard Fully  Qualified  Name  and
     Target

     The following ACL entry specifies a standard,  fully  quali-
     fied name:

     user/instance@realm cim service/instance@realm

     The operation-mask applies only to  the  user/instance@realm
     principal  operating  on  the service/instance@realm target,
     and specifies that the principal  can  change  the  target's
     password,  request  information about the target, and modify
     it.

     Example 3: Specifying a Name Using a Wildcard

     The following ACL entry specifies a name using a wildcard:

     user/*@realm ac

     The operation-mask applies to all principals in realm  realm
     whose first component is user and specifies that the princi-
     pals can add principals and change passwords.

     Example 4: Specifying a Name Using a Wildcard and a Target

     The following ACL entry specifies a name  using  a  wildcard
     and a target:

     user/*@realm i */instance@realm

     The operation-mask applies to all principals in realm  realm
     whose first component is user and specifies that the princi-
     pals can perform inquiries on principals whose  second  com-
     ponent is instance and realm is realm.

FILES

     /etc/krb5/kdc.conf
           KDC configuration information.

SEE ALSO

     kpasswd(1),  gkadmin(1M),   kadmind(1M),   kadmin.local(1M),
     kdb5_util(1M), kdc.conf(4), SEAM(5)
Man(1) output converted with man2html