Unclear about Kerberos' Concepts
Rick van Rein (OpenFortress)
rick at openfortress.nl
Sat Oct 5 09:42:28 EDT 2013
Hello,
Not all the concepts in Kerberos are entirely clear to me yet. Maybe this list can help?
I am clear on the difference between client and server -- the client takes the initiative to contact a server.
I am less clear about the difference between users and services though -- are these kinds of principals that we as users have in mind, or is it somelike "user is always a client" and/or "service is always a server" also carved in stone in the Kerberos system and its conceptual design? Or could a user contact a user; could a service contact a service; could a service contact a user? (I mean with their own name, so without tricks like Ticket Forwarding or S4USelf/Proxy.)
Delegation would be the way that I can tell a secretary, or a bot, to act on my behalf. Does this also fall under Constrained Delegation? In other words, can I setup krbAllowedToDelegateTo in LDAP and will CHECK_ALLOWED_TO_DELEGATE be called in such cases?
I'm still looking how to tell the system that I want to make such a delegation, by the way. Am using krb5-user on Linux as well as Mac OS X Mountain Lion. Anyone?
Thanks!
Rick van Rein
OpenFortress
More information about the Kerberos
mailing list