[36884] in Kerberos
Re: S4U2self/S4U2Proxy question
daemon@ATHENA.MIT.EDU (Rick van Rein)
Sun Apr 5 12:48:38 2015
Message-ID: <55214126.4060108@openfortress.nl>
Date: Sun, 05 Apr 2015 16:05:26 +0200
From: Rick van Rein <rick@openfortress.nl>
MIME-Version: 1.0
To: Praveen Pattanshetti <praveen.pattanshetti.pp@gmail.com>
In-Reply-To: <CABeEy069jkMFTDoaNJJem1PYDcc15=MDnV8R=g8JftAGdUgMRQ@mail.gmail.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hello Praveen,
The following information says it is expired,
http://k5wiki.kerberos.org/wiki/Projects/Services4User
and points to,
http://k5wiki.kerberos.org/wiki/Projects/ConstrainedDelegation
which states "This project was completed in release 1.8."
Further below, it says:
"We provide a CHECK_ALLOWED_TO_DELEGATE db_invoke callback for the
LDAP backend that authorizes that target service against the
krbAllowedToDelegateTo attribute. There is no support for administrating
this attribute via kadmin, or for the DB2 backend."
So you should opt for the backend option you didn't mention :) not AD or
DB2, but LDAP which generally is the most flexibile one (but a bit of a
drama to setup IMHO).
I also know that FreeIPA has a variation on this scheme, but I don't
know the details on that.
-Rick
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
