Authenticating to LDAP using a HTTP ticket

Russ Allbery rra at stanford.edu
Sun Mar 8 16:00:29 EDT 2009


Mikkel Kruse Johnsen <mikkel at linet.dk> writes:

> Firefox: Type "about:config" in the Location bar. Type "nego" in the
> filter and dobbelt click "network.negotiate-auth.delegation-uris" and
> "network.negotiate-auth.trusted-uris" and type in your domain name (in
> my example I have "cbs.dk" in both)

Be aware that doing this will cause your browser to promiscuously send
your credentials to every server in that domain with a valid HTTP/*
principal in your KDC and allow that server to impersonate you to any
other service.  This may be what you want to do, but it's worth thinking
carefully about the implications before you do it.

For example, if you're an educational site that allows students to obtain
HTTP/* principals for their own systems, you *don't* want to do this.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list