On Tue, Mar 13, 2012 at 1:59 PM, Tiago Elvas <[email protected]> wrote: > The domain will be made of several machines, which will be running dedicated > applications. > > These applications will be operated by persons. So, for several of these > apps, we'll have profiles such as admin or user. So, in LDAP we'd have > different profiles for the admin user for each application. The same > "Operator" can have admin profile on one app and user profile on another > one. That's why the need of identify principals like this, I guess...
I'm still confused by what you mean by LDAP profile. Can you post some example LDAP entries, and some reference for the schema that you're using? If by LDAP profile you mean user account in the POSIX/RFC2307bis sense, then I think I understand exactly what you want to do, else I don't yet understand :) In any case, from the sounds of it it seems that you want to treat foo/clientA.fqdn as distinct from foo/clientB.fqdn for the purposes of _authorization_. I.e., you want foo/clientA to have access to some resources that foo/clientB doesn't have access to and vice-versa. Nico -- ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
