[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: krbName



On Wed, 30 Jun 1999, Rob Byrne - Sun Microsystems wrote:

> 
> Hi Booker,
> 
> "- IMHO, this is a really bad idea. One of the really nice advantages
> of the current krbName approach is that it effectively gives you a
> convient "group" or role mechanism. i.e. an ldap DN can have many
> krbNames. Also, there are potential uses for krbName beyond kerberos
> authentication. "
> 
> Could you give some examples of using  krbName in the way you descibe
> to  implement groups or roles ?
> 

- Sure, the most common thing that we do is create an ldap entity that 
is used in ACL's for restricted data items. For example : 

- All of our tac_plus servers use an authenticated ldap lookup to 
make authorization decisions. Rather than create an ldap entity 
for each server, we create a "Reader of attribute X" entity and 
add the appropriate krbNames to this entity. 

- Booker C. Bense