[30845] in Kerberos
Re: Authenticating to LDAP using a HTTP ticket
daemon@ATHENA.MIT.EDU (Luke Howard)
Mon Mar 9 22:50:30 2009
Message-Id: <7AA8A304-60B0-4646-902B-422A4325F6B2@padl.com>
From: Luke Howard <lukeh@padl.com>
To: Russ Allbery <rra@stanford.edu>
In-Reply-To: <87ocwa6v3g.fsf@windlord.stanford.edu>
Mime-Version: 1.0 (Apple Message framework v930.3)
Date: Tue, 10 Mar 2009 13:49:16 +1100
Cc: "Loren M. Lang" <lorenl@alzatex.com>, kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 10/03/2009, at 12:10 PM, Russ Allbery wrote:
> "Loren M. Lang" <lorenl@alzatex.com> writes:
>
>> Isn't a feature of Kerberos to be able to limit the powers that one
>> delegates using proxiable tickets? If I understand correctly, it
>> should
>> be possible to delegate for the server to impersonate you only to the
>> LDAP service on host ldap.example.com instead of forwarding your
>> krbtgt.
>
> No, this is not a general feature of Kerberos implementations. It
> may be
> that Active Directory has support for this, however. Active
> Directory has
> some additional delegation control features that are not implemented
> in
> other versions of Kerberos. I don't know if you need to use
> Microsoft's
> Kerberos implementation on the client for this as well, if so.
W2K3 and above KDCs implement constrained delegation. The client and
penultimate service need not change. The middle-tier services need
library support for constrained delegation; I think only Windows has
this (possibly Heimdal, but then I'm not sure whether it is exposed to
GSS-API).
-- Luke
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
