Anonymous, s4u and authorization data
hartmans at MIT.EDU
Thu Dec 17 19:38:43 EST 2009
>>>>> "Greg" == Greg Hudson <ghudson at MIT.EDU> writes:
Greg> On Thu, 2009-12-17 at 11:07 -0500, Sam Hartman wrote:
>> In particular, I think this means that the kdb plugin, and signed
>> delegation path plugins will be skipped for anonymous tickets.
>> I'm not sure whether this is right. It's quite clear we cannot
>> simply call the kdb plugin: we definitely do not want a PAC
>> issued. However I haven't really thought through the s4u
>> implications yet. Your thoughts would be appreciated.
Greg> Perhaps doing this via a function call would be more correct,
Greg> so that the kdb plugin could delegate the question to the DB
Greg> layer. I don't feel strongly about the issue at this time,
I think that would be reasonable at the same time as we expose this to
our plugin interface. Note that all the flags are currently internal
only. (And really all the flags besides (and possibly including)
anonymous should remain that way).
More information about the krbdev