[Date Prev][Date Next]
On Wed, 30 Jun 1999, Rob Byrne - Sun Microsystems wrote:
> Hi Booker,
> "- IMHO, this is a really bad idea. One of the really nice advantages
> of the current krbName approach is that it effectively gives you a
> convient "group" or role mechanism. i.e. an ldap DN can have many
> krbNames. Also, there are potential uses for krbName beyond kerberos
> authentication. "
> Could you give some examples of using krbName in the way you descibe
> to implement groups or roles ?
- Sure, the most common thing that we do is create an ldap entity that
is used in ACL's for restricted data items. For example :
- All of our tac_plus servers use an authenticated ldap lookup to
make authorization decisions. Rather than create an ldap entity
for each server, we create a "Reader of attribute X" entity and
add the appropriate krbNames to this entity.
- Booker C. Bense