Authenticating to LDAP using a HTTP ticket
Luke Howard
lukeh at padl.com
Mon Mar 9 22:49:16 EDT 2009
On 10/03/2009, at 12:10 PM, Russ Allbery wrote:
> "Loren M. Lang" <lorenl at alzatex.com> writes:
>
>> Isn't a feature of Kerberos to be able to limit the powers that one
>> delegates using proxiable tickets? If I understand correctly, it
>> should
>> be possible to delegate for the server to impersonate you only to the
>> LDAP service on host ldap.example.com instead of forwarding your
>> krbtgt.
>
> No, this is not a general feature of Kerberos implementations. It
> may be
> that Active Directory has support for this, however. Active
> Directory has
> some additional delegation control features that are not implemented
> in
> other versions of Kerberos. I don't know if you need to use
> Microsoft's
> Kerberos implementation on the client for this as well, if so.
W2K3 and above KDCs implement constrained delegation. The client and
penultimate service need not change. The middle-tier services need
library support for constrained delegation; I think only Windows has
this (possibly Heimdal, but then I'm not sure whether it is exposed to
GSS-API).
-- Luke
More information about the Kerberos
mailing list