kadm5.acl(4)
NAME
kadm5.acl - Kerberos access control list (ACL) file
SYNOPSIS
/etc/krb5/kadm5.acl
DESCRIPTION
The ACL file is used by the kadmind(1M) command to determine
which principals are allowed to perform Kerberos administra-
tion actions. For operations that affect principals, the
ACL file also controls which principals can operate on which
other principals. The location of the ACL file is determined
by the acl_file configuration variable in the kdc.conf(4)
file. The default location is /etc/krb5/kadm5.acl.
The ACL file can contain comment lines, null lines, or lines
that contain ACL entries. Comment lines start with the pound
sign (#) and continue until the end of the line.
The order of entries is significant. The first matching
entry specifies the principal on which the control access
applies, whether it is on just the principal or on the prin-
cipal when it operates on a target principal.
Lines containing ACL entries must have the following format:
principal operation-mask [operation-target]
principal
Specifies the principal on which the operation-mask
applies. Can specify either a partially or fully qual-
ified Kerberos principal name. Each component of the
name can be substituted with a wildcard, using the
asterisk ( * ) character.
operation-mask
Specifies what operations can or cannot be performed
by a principal matching a particular entry. Specify
operation-mask as one or more privileges.
A privilege is a string of one or more of the follow-
ing characters: a, A, c, C, d, D, i, I, l, L, m, M, x,
or *. Generally, if the character is lowercase, the
privilege is allowed and if the character is upper-
case, the operation is disallowed. The x and * charac-
ters are exceptions to the uppercase convention.
The following privileges are supported:
a Allows the addition of principals or policies in
the database.
A Disallows the addition of principals or policies
in the database.
c Allows the changing of passwords for principals
in the database.
C Disallows the changing of passwords for princi-
pals in the database.
d Allows the deletion of principals or policies in
the database.
D Disallows the deletion of principals or policies
in the database.
i Allows inquiries to the database.
I Disallows inquiries to the database.
l Allows the listing of principals or policies in
the database.
L Disallows the listing of principals or policies
in the database.
m Allows the modification of principals or poli-
cies in the database.
M Disallows the modification of principals or pol-
icies in the database.
x Short for specifying privileges a, d,m,c,i, and
l. The same as *.
* Short for specifying privileges a, d,m,c,i, and
l. The same as x.
operation-target
Optional. When specified, the privileges apply to the
principal when it operates on the operation-target.
For the operation-target, you can specify a partially
or fully qualified Kerberos principal name. Each com-
ponent of the name can be substituted by a wildcard,
using the asterisk ( * ) character.
EXAMPLES
Example 1: Specifying a Standard, Fully Qualified Name
The following ACL entry specifies a standard, fully quali-
fied name:
user/instance@realm adm
The operation-mask applies only to the user/instance@realm
principal and specifies that the principal can add, delete,
or modify principals and policies, but it cannot change
passwords.
Example 2: Specifying a Standard Fully Qualified Name and
Target
The following ACL entry specifies a standard, fully quali-
fied name:
user/instance@realm cim service/instance@realm
The operation-mask applies only to the user/instance@realm
principal operating on the service/instance@realm target,
and specifies that the principal can change the target's
password, request information about the target, and modify
it.
Example 3: Specifying a Name Using a Wildcard
The following ACL entry specifies a name using a wildcard:
user/*@realm ac
The operation-mask applies to all principals in realm realm
whose first component is user and specifies that the princi-
pals can add principals and change passwords.
Example 4: Specifying a Name Using a Wildcard and a Target
The following ACL entry specifies a name using a wildcard
and a target:
user/*@realm i */instance@realm
The operation-mask applies to all principals in realm realm
whose first component is user and specifies that the princi-
pals can perform inquiries on principals whose second com-
ponent is instance and realm is realm.
FILES
/etc/krb5/kdc.conf
KDC configuration information.
SEE ALSO
kpasswd(1), gkadmin(1M), kadmind(1M), kadmin.local(1M),
kdb5_util(1M), kdc.conf(4), SEAM(5)
Man(1) output converted with
man2html