Authenticating to LDAP using a HTTP ticket

Russ Allbery rra at
Mon Mar 9 21:10:43 EDT 2009

"Loren M. Lang" <lorenl at> writes:

> Isn't a feature of Kerberos to be able to limit the powers that one
> delegates using proxiable tickets?  If I understand correctly, it should
> be possible to delegate for the server to impersonate you only to the
> LDAP service on host instead of forwarding your krbtgt.

No, this is not a general feature of Kerberos implementations.  It may be
that Active Directory has support for this, however.  Active Directory has
some additional delegation control features that are not implemented in
other versions of Kerberos.  I don't know if you need to use Microsoft's
Kerberos implementation on the client for this as well, if so.

Russ Allbery (rra at             <>

More information about the Kerberos mailing list