ACL for Constrained Delegation?
Rick van Rein
rick at openfortress.nl
Thu Feb 20 16:36:07 EST 2014
Hello Simo,
I had a look at the project page KerberosDelegationACL, and one thing struck me as odd about the specification.
* lack of AllowToImpersonate means ALL clients can be impersonated.
This appears non-intuitive to me; moreover, treating the “zero case” in a special way almost always leads to trouble, exceptions and security hazards. If not in code, then it usually confuses the security admin or surrounding scripts.
I have no idea if this is too late, but the following follows IMHO a more consistent / logical line while retaining expressiveness:
* lack of the Krb5DelegationACL class means that NO access control restrictions are applied
* lack of AllowToImpersonate means NO clients can be impersonated
* to impersonate ALL clients, use a suitable regex memberPrincipal
FWIW :)
Cheers,
-Rick
More information about the Kerberos
mailing list