diff options
author | Ben Kaduk <kaduk@mit.edu> | 2014-06-13 14:59:39 -0400 |
---|---|---|
committer | Ben Kaduk <kaduk@mit.edu> | 2014-06-16 15:43:10 -0400 |
commit | 70b2ba4852913ceb2bdc9a57edd487da8230f813 (patch) | |
tree | c5f77d0345119d407381cb949e410287cd49b130 /src/kdc/main.c | |
parent | 823bad7f3f314647feb14284bc36fa231c9c7875 (diff) | |
download | krb5-70b2ba4852913ceb2bdc9a57edd487da8230f813.tar.gz krb5-70b2ba4852913ceb2bdc9a57edd487da8230f813.tar.xz krb5-70b2ba4852913ceb2bdc9a57edd487da8230f813.zip |
Update the kadm5.acl example
Make the example and documentation a closer match to reality.
In particular, the list permission is all-or-nothing; it is not
restricted in scope by the target_principal field. Change the
table entry to try and indicate this fact, and do not put list
permissions on any example line that is scoped by a target_principal
pattern.
While here, remove the nonsensical granting of global inquire
permissions to */* (inaccurately described as "all principals"),
and the granting of privileges to foreign-realm principals.
It is not possible to obtain an initial ticket (as required by
the kadmin service) for a principal in a different realm, and
the current kadmind implementation can serve only a single realm
at a time -- this permission literally has no effect. Replace
it with a (presumably automated) "Service Management System"
example, where it might make sense to limit the principals which
are automatically created.
ticket: 7939
Diffstat (limited to 'src/kdc/main.c')
0 files changed, 0 insertions, 0 deletions