Authenticating to LDAP using a HTTP ticket

[Russ Allbery]

"Loren M. Lang" <lorenl at alzatex.com> writes:

> Isn't a feature of Kerberos to be able to limit the powers that one
> delegates using proxiable tickets?  If I understand correctly, it should
> be possible to delegate for the server to impersonate you only to the
> LDAP service on host ldap.example.com instead of forwarding your krbtgt.

No, this is not a general feature of Kerberos implementations.  It may be
that Active Directory has support for this, however.  Active Directory has
some additional delegation control features that are not implemented in
other versions of Kerberos.  I don't know if you need to use Microsoft's
Kerberos implementation on the client for this as well, if so.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>