S4U2self/S4U2Proxy question
Rick van Rein
rick at openfortress.nl
Sun Apr 5 10:05:26 EDT 2015
Hello Praveen,
The following information says it is expired,
http://k5wiki.kerberos.org/wiki/Projects/Services4User
and points to,
http://k5wiki.kerberos.org/wiki/Projects/ConstrainedDelegation
which states "This project was completed in release 1.8."
Further below, it says:
"We provide a CHECK_ALLOWED_TO_DELEGATE db_invoke callback for the
LDAP backend that authorizes that target service against the
krbAllowedToDelegateTo attribute. There is no support for administrating
this attribute via kadmin, or for the DB2 backend."
So you should opt for the backend option you didn't mention :) not AD or
DB2, but LDAP which generally is the most flexibile one (but a bit of a
drama to setup IMHO).
I also know that FreeIPA has a variation on this scheme, but I don't
know the details on that.
-Rick
More information about the Kerberos
mailing list