Filter
Top Products
Administering the Kerberos Server
The admin_acl_file File
Chapter 8116
To grant the principal rabbit@FINANCE.BAMBI.COM the permission to
add, list, and inquire about any principal in the database, add the
following entry to admin_acl_file:
rabbit@FINANCE.BAMBI.COM ali
Adding Entries to admin_acl_file
You can add any principal name to admin_acl_file with or without
administrative permissions.
To add a principal with assigned permissions, select the Principal
Information window>Attribute tab in the HP Kerberos
Administrator. For more information, see “Administrative Permissions”
on page 189.
Consider the following guidelines before deciding on the principal names
that you want to add to admin_acl_file:
• A primary security server must contain only one admin_acl_file.
This file contains all the realms supported by the primary security
server.
• Any principal name that you add to admin_acl_file must have
adequate protection because only trusted administrative principals
must be able to alter the principal account using the remote
administration tool.
• Principals in admin_acl_file that have assigned permissions can
log on to the administrative tools and become administrative
principals.
The r, R, or Rr modifiers, when used with the a or A permission, restrict
the principal names that you can add to the database. For instance,
principals assigned the IARiar permissions cannot add new principals
that use the identifier/instance@REALM, which is already included in
admin_acl_file. To take advantage of this restriction, consider the
names you may want to add to admin_acl_file.