Services4User review
Nicolas Williams
Nicolas.Williams at sun.com
Mon Aug 24 01:24:58 EDT 2009
On Sat, Aug 22, 2009 at 01:20:41PM +0200, Luke Howard wrote:
> And the really cool thing is that the application developer does not
> have to use any new APIs to use constrained delegation (and only one
> to use protocol transition). The API is exactly the same as it is for
> "unconstrained" delegation.
Indeed, and it will work for both S4U2{Self, Proxy}. Of course, there
are also new APIs that can be used, but they may well be unnecessary to
the point that you can just not bother with them.
To get gss_store_cred() to store such creds though will require ccache
extensions and krb5_get_credentials() work. But that's another story.
And it will likely not be necessary for a while (plus, MIT krb5 doesn't
have gss_store_cred()).
> (Of course, whether constrained delegation will be successful is
> subject to the policy of the KDC.)
Of course.
More information about the krbdev
mailing list