[30843] in Kerberos
Re: Authenticating to LDAP using a HTTP ticket
daemon@ATHENA.MIT.EDU (Russ Allbery)
Mon Mar 9 21:11:38 2009
To: "Loren M. Lang" <lorenl@alzatex.com>
In-Reply-To: <1236640901.30350.23841.camel@ruth.aloha.tallye.com> (Loren M.
Lang's message of "Mon\, 09 Mar 2009 16\:21\:41 -0700")
From: Russ Allbery <rra@stanford.edu>
Date: Mon, 09 Mar 2009 18:10:43 -0700
Message-ID: <87ocwa6v3g.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
"Loren M. Lang" <lorenl@alzatex.com> writes:
> Isn't a feature of Kerberos to be able to limit the powers that one
> delegates using proxiable tickets? If I understand correctly, it should
> be possible to delegate for the server to impersonate you only to the
> LDAP service on host ldap.example.com instead of forwarding your krbtgt.
No, this is not a general feature of Kerberos implementations. It may be
that Active Directory has support for this, however. Active Directory has
some additional delegation control features that are not implemented in
other versions of Kerberos. I don't know if you need to use Microsoft's
Kerberos implementation on the client for this as well, if so.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
