[krbdev.mit.edu #5596] patch for providing a way to set the ok-as-delegate flag
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Wed Apr 22 05:29:38 EDT 2009
I've been handed this ticket.
The client side behavior will be handled using GSS_C_DELEG_POLICY_FLAG
as specified in
http://tools.ietf.org/html/draft-lha-gssapi-delegate-policy-04 . Code
from Apple has already been committed to handle the flag, and I am
working on the cross-realm handling now. I don't yet have specific
plans to use the flag in any client program.
That leaves the KDC support. Sam wanted us to use the same user-visible
flag name as the Sandia patch, but I honestly think it will be less
confusing if we remain consistent with the RFC (ok-as-delegate) than if
we use the redundant-seeming "allow-ok-as-delegate" name. What do the
people from Sandia think? Will it be particularly traumatic to switch
to a different name for setting the flag in kadmin?
More information about the krb5-bugs
mailing list