Right my sysadmin team is working on automating the creation of user accounts for the new students at my university. The basic idea right now is to have a principal called adduser that can authenticate to our kerberos server, and has the ability to add new principals to the database (after verifying that the user is actually enrolled at the school).
My worry is that nothing would really stop this principal from adding new administrative users, which is definitely not what we want. Ideally, I would want to set up the kadm5.acl so that the adduser principal is only capable of adding non-admins to our database. In short, I want it to be able to do this: kadmin: addprinc jane@EXAMPLE.COM, but return an error if it tries to do this: kadmin: addprinc john/admin@EXAMPLE.COM.
Based on the documentation for the target_principal option, I'm assuming that I can't do this:
# may add a principal that has no "/" in its name:
adduser a [^/]* -clearpolicy
I'm sure I can acheive the same thing by making sure the input is well-sanitized before it's ever sent to the server. But I thought I'd ask if anyone has an idea for a more "formal" way I can set this rule on kerberos's end?
