Authenticating to LDAP using a HTTP ticket

Luke Howard lukeh at
Mon Mar 9 22:49:16 EDT 2009

On 10/03/2009, at 12:10 PM, Russ Allbery wrote:

> "Loren M. Lang" <lorenl at> writes:
>> Isn't a feature of Kerberos to be able to limit the powers that one
>> delegates using proxiable tickets?  If I understand correctly, it  
>> should
>> be possible to delegate for the server to impersonate you only to the
>> LDAP service on host instead of forwarding your  
>> krbtgt.
> No, this is not a general feature of Kerberos implementations.  It  
> may be
> that Active Directory has support for this, however.  Active  
> Directory has
> some additional delegation control features that are not implemented  
> in
> other versions of Kerberos.  I don't know if you need to use  
> Microsoft's
> Kerberos implementation on the client for this as well, if so.

W2K3 and above KDCs implement constrained delegation. The client and  
penultimate service need not change. The middle-tier services need  
library support for constrained delegation; I think only Windows has  
this (possibly Heimdal, but then I'm not sure whether it is exposed to  

-- Luke

More information about the Kerberos mailing list