Authenticating to LDAP using a HTTP ticket

Loren M. Lang lorenl at
Mon Mar 9 19:21:41 EDT 2009

On Sun, 2009-03-08 at 13:00 -0700, Russ Allbery wrote:
> Mikkel Kruse Johnsen <mikkel at> writes:
> > Firefox: Type "about:config" in the Location bar. Type "nego" in the
> > filter and dobbelt click "network.negotiate-auth.delegation-uris" and
> > "network.negotiate-auth.trusted-uris" and type in your domain name (in
> > my example I have "" in both)
> Be aware that doing this will cause your browser to promiscuously send
> your credentials to every server in that domain with a valid HTTP/*
> principal in your KDC and allow that server to impersonate you to any
> other service.  This may be what you want to do, but it's worth thinking
> carefully about the implications before you do it.
> For example, if you're an educational site that allows students to obtain
> HTTP/* principals for their own systems, you *don't* want to do this.

Isn't a feature of Kerberos to be able to limit the powers that one
delegates using proxiable tickets?  If I understand correctly, it should
be possible to delegate for the server to impersonate you only to the
LDAP service on host instead of forwarding your krbtgt.

Loren M. Lang
lorenl at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3157 bytes
Desc: not available
Url :

More information about the Kerberos mailing list