ACL for Constrained Delegation?
Benjamin Kaduk
kaduk at MIT.EDU
Wed Feb 19 21:47:59 EST 2014
On Wed, 19 Feb 2014, Rick van Rein wrote:
> Hello,
>
> I’m trying to understand how to configure Constrained Delegation in the KDC. I think I got the GSSAPI client side part, notably S4U2Proxy, but I can only seem to find proxy / proxiable flags in the KDC setup. And these don’t have undisputably clear semantics, from what I’ve read.
>
> Let’s say I want to setup webmail.example.com with permissions to access LDAP, IMAP and SMTP; however, sendmail.example.com can only access SMTP and contacts.example.com can only access LDAP; schematically:
>
> HTTP/webmail.example.com —> ldap/ldap.example.com
> HTTP/webmail.example.com —> imap/imap.example.com
> HTTP/webmail.example.com —> smtp/smtp.example.com
> HTTP/sendmail.example.com —> smtp/smtp.example.com
> HTTP/contacts.example.com —> ldap/ldap.example.com
>
> How would I setup these delegations, and only these delegations, with MIT Kerberos5?
http://k5wiki.kerberos.org/wiki/Projects/ConstrainedDelegation notes that
there is a krbAllowedToDelegateTo attribute that can be set in LDAP
(manually) to limit delegation.
I don't think I have an actual example handy.
-Ben Kaduk
More information about the Kerberos
mailing list