ACL for Constrained Delegation?

Rick van Rein rick at openfortress.nl
Thu Feb 20 06:34:53 EST 2014 

Hi Benjamin / MIT,

>> How would I setup these delegations, and only these delegations, with MIT Kerberos5?
> 
> http://k5wiki.kerberos.org/wiki/Projects/ConstrainedDelegation notes that there is a krbAllowedToDelegateTo attribute that can be set in LDAP (manually) to limit delegation.
> 
> I don't think I have an actual example handy.

Thanks for the pointer!

I looked into the LDAP specs for this attribute, and some questions remain.  An example could give a working solution, but perhaps MIT should answer these questions by updating the project documentation page?


LOOKUP:

This refers to an LDAP attribute krbAllowedToDelegateTo.  In the LDAP scheme, this is 
defined as

> ##### A list of services to which a service principal can delegate.
> attributetype ( 1.3.6.1.4.1.5322.21.2.4
>                 NAME 'krbAllowedToDelegateTo'
>                 EQUALITY caseExactIA5Match
>                 SUBSTR caseExactSubstringsMatch
>                 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)

This attribute may be incorporated into the krbPrincipalAux auxiliary class, which 
presumably is attached to krbPrincipal:

> ###### The principal data auxiliary class. Holds principal information
> ###### and is used to store principal information for Person, Service objects.
> 
> objectclass ( 2.16.840.1.113719.1.301.6.8.1
>                 NAME 'krbPrincipalAux'
>                 SUP top
>                 AUXILIARY
>                 MAY ( krbPrincipalName $ krbCanonicalName $ krbUPEnabled $ 
> krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ 
> krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ 
> krbLastPwdChange $ krbLastAdminUnlock $ krbPrincipalAliases $ krbLastSuccessfulAuth $ 
> krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData $ krbAllowedToDelegateTo ) )


QUESTIONS:

 * These specifications do not clarify how the "list of services" is represented in the 
attribute -- is it done through multiple krbAllowedToDelegateTo attributes (this is 
permitted) or is there a format such as space-separation or comma-separation?

 * These specifications do not clarify how "services" are declared -- probably through 
their krbPrincipalName or krbCanonicalName?  Or does that depend on the whether there 
is a krbCanonicalName for the principal?  Are abbreviated forms (dropping the @REALM 
part) permitted/advised?


It’d be good to have these questions answered.


Thanks for any help you can give,

Rick van Rein
OpenFortress

More information about the Kerberos mailing list