ACL for Constrained Delegation?

Simo Sorce simo at redhat.com
Thu Feb 20 09:10:32 EST 2014


On Wed, 2014-02-19 at 09:28 +0100, Rick van Rein wrote:
> Hello,
> 
> I’m trying to understand how to configure Constrained Delegation in the KDC.  I think I got the GSSAPI client side part, notably S4U2Proxy, but I can only seem to find proxy / proxiable flags in the KDC setup.  And these don’t have undisputably clear semantics, from what I’ve read.
> 
> Let’s say I want to setup webmail.example.com with permissions to access LDAP, IMAP and SMTP; however, sendmail.example.com can only access SMTP and contacts.example.com can only access LDAP; schematically:
> 
> HTTP/webmail.example.com  —>  ldap/ldap.example.com
> HTTP/webmail.example.com  —>  imap/imap.example.com
> HTTP/webmail.example.com  —>  smtp/smtp.example.com
> HTTP/sendmail.example.com  —>  smtp/smtp.example.com
> HTTP/contacts.example.com  —>  ldap/ldap.example.com
> 
> How would I setup these delegations, and only these delegations, with MIT Kerberos5?

Hi Rick,
it is not currently really possible with Standard MIT.

I have introduced a mechanism to handle this in the FreeIPA project
(where we build our own DAL) and with Shawn we are working on bringing
this to the standard MIT LDAP driver.

Se the project page here:
http://k5wiki.kerberos.org/wiki/Projects/KerberosDelegationACL

If you want to help with this effort there is some work to do to
implement thi in the current MIT LDAP code.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



More information about the Kerberos mailing list