Does MIT Kerberos KDC supports Constrained Delegation natively
Greg Hudson
ghudson at mit.edu
Wed Aug 2 11:08:51 EDT 2017
On 08/02/2017 07:43 AM, Yu Yu wrote:
> Might I ask if MIT Kerberos KDC supports Constrained Delegation (S4U2Self
> and S4U2Proxy) feature natively, or if additional back-end (for example,
> LDAP) required for it?
The LDAP KDB module (which is still technically "native") is required to
configure constrained delegation permissions in the KDC.
One configures them by setting "krbAllowedToDelegateTo" attribute values
on the intermediate principal LDAP entry, where each value is an allowed
target service principal name.
More information about the Kerberos
mailing list