Proxiable tickets

Frank Taylor google at lieder.me.uk
Tue Dec 16 09:57:45 EST 2003


All,

I am building an application that uses Kerberos internally to
authenticate usage of back end resources. In a move to improve
internal auditing I'd like to use proxy tickets to handle delegation
of rights from a user to an intermediary service. Specifically I'd
like to delegate LDAP access to a web application for a user.

The plan is that the user's agent will generate a proxiable LDAP
ticket that it hands to the web application. The web application
(implmented in J2EE using JSPs and EJBs) will then generate the
required authenticators to connection to LDAP when required.

Whilst I believe this is how it should work in theory, I am lost as to
how to implement this in practice. Specifically, I am not sure exactly
what should be passed from the client to the web application...
rfc1510 talks about passing the "proxy", but does not define what this
is? Is it the TGS REPLY, or is it the underlying ticket?

Has anyone done anything like this? The Kerberos FAQ says that
proxiable tickets are not often used.

Can anyone point me towards information of programming for proxiable
tickets?

I am using jKrb5 (the java-kerberos library) to prototype the
interactions.

Is there a better solution?

Thanks,

Frank Taylor.


More information about the Kerberos mailing list