[30826] in Kerberos
Re: Authenticating to LDAP using a HTTP ticket
daemon@ATHENA.MIT.EDU (Russ Allbery)
Sun Mar 8 16:01:26 2009
To: Mikkel Kruse Johnsen <mikkel@linet.dk>
In-Reply-To: <1236506774.3955.19.camel@localhost.localdomain> (Mikkel Kruse
Johnsen's message of "Sun\, 08 Mar 2009 11\:06\:14 +0100")
From: Russ Allbery <rra@stanford.edu>
Date: Sun, 08 Mar 2009 13:00:29 -0700
Message-ID: <87y6vfu6n6.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Mikkel Kruse Johnsen <mikkel@linet.dk> writes:
> Firefox: Type "about:config" in the Location bar. Type "nego" in the
> filter and dobbelt click "network.negotiate-auth.delegation-uris" and
> "network.negotiate-auth.trusted-uris" and type in your domain name (in
> my example I have "cbs.dk" in both)
Be aware that doing this will cause your browser to promiscuously send
your credentials to every server in that domain with a valid HTTP/*
principal in your KDC and allow that server to impersonate you to any
other service. This may be what you want to do, but it's worth thinking
carefully about the implications before you do it.
For example, if you're an educational site that allows students to obtain
HTTP/* principals for their own systems, you *don't* want to do this.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
