ACL for Constrained Delegation?

[Daniel Kahn Gillmor]

On 02/19/2014 09:47 PM, Benjamin Kaduk wrote:
> On Wed, 19 Feb 2014, Rick van Rein wrote:
>> I’m trying to understand how to configure Constrained Delegation in
>> the KDC.  I think I got the GSSAPI client side part, notably
>> S4U2Proxy, but I can only seem to find proxy / proxiable flags in the
>> KDC setup.  And these don’t have undisputably clear semantics, from
>> what I’ve read.
>>
>> Let’s say I want to setup webmail.example.com with permissions to
>> access LDAP, IMAP and SMTP; however, sendmail.example.com can only
>> access SMTP and contacts.example.com can only access LDAP; schematically:
>>
>> HTTP/webmail.example.com  —>  ldap/ldap.example.com
>> HTTP/webmail.example.com  —>  imap/imap.example.com
>> HTTP/webmail.example.com  —>  smtp/smtp.example.com
>> HTTP/sendmail.example.com  —>  smtp/smtp.example.com
>> HTTP/contacts.example.com  —>  ldap/ldap.example.com
>>
>> How would I setup these delegations, and only these delegations, with
>> MIT Kerberos5?
> 
> http://k5wiki.kerberos.org/wiki/Projects/ConstrainedDelegation notes
> that there is a krbAllowedToDelegateTo attribute that can be set in LDAP
> (manually) to limit delegation.
> 
> I don't think I have an actual example handy.

This arrangement seems to suggest that the delegation constraint is
something that will be managed for all principals by the KDC explicitly,
rather than the end user being able to decide (or even know?) what
explicit delegations are being offered.  Am i understanding this right?

Is there any mechanism for user-controllable delegation?  (or perhaps
more fundamentally, does this question even make sense, given the power
held by the KDC already?)

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20140220/a1bc73e9/attachment.bin