ACL for Constrained Delegation?
Rick van Rein
rick at openfortress.nl
Thu Feb 20 18:05:21 EST 2014
Hi Simo,
> In the default case you generally allow all in these situations.
You mean, you’d like to be able to add the ACL class, no further attributes and then let everyone in? Why then mention the ACL, I wonder.
The rest of the ACL design says “…and if none of the rules match, than the answer is NO” and the exception for “unless there is no ACL rule, then it is YES” is an inconsistency in the structure. Such flipping points are usually where error and dismay are born.
> This compromise comes fro the fact that there is no real grouping
> mechanism in the KDC nor a way to experess the concept of "all", a regex
> would not really do it nuless you are thinking of ".*”
I was thinking of that regex, yes, but didn’t know what syntax to write down :) It’d be a group named ALL, in your example.
> We could change the code so that you have to add the literal "ALL"
> maybe, I am not opposed, and could easily migrate FreeIPA users to that
> syntax.
That last bit is impressive :)
-Rick
More information about the Kerberos
mailing list