ACL for Constrained Delegation?

Benjamin Kaduk kaduk at MIT.EDU
Wed Feb 19 21:47:59 EST 2014


On Wed, 19 Feb 2014, Rick van Rein wrote:

> Hello,
>
> I’m trying to understand how to configure Constrained Delegation in the KDC.  I think I got the GSSAPI client side part, notably S4U2Proxy, but I can only seem to find proxy / proxiable flags in the KDC setup.  And these don’t have undisputably clear semantics, from what I’ve read.
>
> Let’s say I want to setup webmail.example.com with permissions to access LDAP, IMAP and SMTP; however, sendmail.example.com can only access SMTP and contacts.example.com can only access LDAP; schematically:
>
> HTTP/webmail.example.com  —>  ldap/ldap.example.com
> HTTP/webmail.example.com  —>  imap/imap.example.com
> HTTP/webmail.example.com  —>  smtp/smtp.example.com
> HTTP/sendmail.example.com  —>  smtp/smtp.example.com
> HTTP/contacts.example.com  —>  ldap/ldap.example.com
>
> How would I setup these delegations, and only these delegations, with MIT Kerberos5?

http://k5wiki.kerberos.org/wiki/Projects/ConstrainedDelegation notes that 
there is a krbAllowedToDelegateTo attribute that can be set in LDAP 
(manually) to limit delegation.

I don't think I have an actual example handy.

-Ben Kaduk


More information about the Kerberos mailing list