ACL for Constrained Delegation?

Rick van Rein rick at openfortress.nl
Thu Feb 20 16:36:07 EST 2014


Hello Simo,

I had a look at the project page KerberosDelegationACL, and one thing struck me as odd about the specification.

 * lack of AllowToImpersonate means ALL clients can be impersonated.

This appears non-intuitive to me; moreover, treating the “zero case” in a special way almost always leads to trouble, exceptions and security hazards.  If not in code, then it usually confuses the security admin or surrounding scripts.

I have no idea if this is too late, but the following follows IMHO a more consistent / logical line while retaining expressiveness:

 * lack of the Krb5DelegationACL class means that NO access control restrictions are applied
 * lack of AllowToImpersonate means NO clients can be impersonated
 * to impersonate ALL clients, use a suitable regex memberPrincipal


FWIW :)

Cheers,
 -Rick


More information about the Kerberos mailing list