[32280] in Kerberos
Re: URGENT - Kerberos : Authorization
daemon@ATHENA.MIT.EDU (Russ Allbery)
Fri Apr 23 20:53:28 2010
From: Russ Allbery <rra@stanford.edu>
To: <jacky.forestier@orange-ftgroup.com>
In-Reply-To: <B2A6809D68602941A1341092939DFCE1E9C504@ftrdmel0.rd.francetelecom.fr>
(jacky forestier's message of "Fri, 23 Apr 2010 15:48:32 +0200")
Date: Fri, 23 Apr 2010 16:59:34 -0700
Message-ID: <87hbn17mah.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
<jacky.forestier@orange-ftgroup.com> writes:
> A question on the kerberos implementation ( Kerb v5-1.6) that we tested
> and are using now in experimental studies: Does this kerberos version
> allow to distinguish between different users in terms of allowing to
> grant the TGS ticket for a certain service for certain users and
> refusing the TGS ticket grant for other users.
I don't believe there's a mechanism in either MIT Kerberos or Heimdal to
support this particular use case. Kerberos generally assumes that
authorization decisions are handled in the application, not at the level
of issuing tickets.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
