We have roughly 70,000 principals in our KDC (MIT 1.4), including ~8,000 employees. These employees belong to multiple departments/schools across the University. We are looking to give access to the appropriate admins from certain departments to change the password for their subset of users. This may mean that one admin should be able to change passwords for 30 principals, another for 400 principals, etc, while our central IT should continue to be able to change all 70,000.
The central case is easy, of course, using admin principals and ACLs of the form "*/[EMAIL PROTECTED] *". There seem to be two approaches to give out access the way we want: 1) A custom application (web) using an "all access" */admin principal to talk to the KDC. The app controls individual access internally (perhaps using LDAP). 2) Generate a rather complex ACL file as part of our regular user provisioning, explicitly listing each admin principal and all the principals it has access to. I prefer keeping access control as close to the KDC as possible (#2), but would having such a large ACL file cause a performance hit (or other negative impact ?) ? Any feedback is appreciated - thank you, -Matt ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
