Authenticating to LDAP using a HTTP ticket
Loren M. Lang
lorenl at alzatex.com
Mon Mar 9 19:21:41 EDT 2009
On Sun, 2009-03-08 at 13:00 -0700, Russ Allbery wrote:
> Mikkel Kruse Johnsen <mikkel at linet.dk> writes:
>
> > Firefox: Type "about:config" in the Location bar. Type "nego" in the
> > filter and dobbelt click "network.negotiate-auth.delegation-uris" and
> > "network.negotiate-auth.trusted-uris" and type in your domain name (in
> > my example I have "cbs.dk" in both)
>
> Be aware that doing this will cause your browser to promiscuously send
> your credentials to every server in that domain with a valid HTTP/*
> principal in your KDC and allow that server to impersonate you to any
> other service. This may be what you want to do, but it's worth thinking
> carefully about the implications before you do it.
>
> For example, if you're an educational site that allows students to obtain
> HTTP/* principals for their own systems, you *don't* want to do this.
Isn't a feature of Kerberos to be able to limit the powers that one
delegates using proxiable tickets? If I understand correctly, it should
be possible to delegate for the server to impersonate you only to the
LDAP service on host ldap.example.com instead of forwarding your krbtgt.
>
--
Loren M. Lang
lorenl at alzatex.com
http://www.alzatex.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3157 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20090309/97f95daa/attachment.bin
More information about the Kerberos
mailing list