lukeh at padl.com
Mon Feb 2 01:30:17 EST 2009
On 02/02/2009, at 4:12 PM, Nikhil Mishra wrote:
> Thanks Luke and I understand the purpose of db_invoke .
> But then as I understand, for constrained delegation to work on kdc
> side, db_invoke has to be implemented or at least in some form
> check_allowed_to_delegate_to should be able to call some db function
> to check given service principal is allowed to delegate to given
> proxy_princ .
> Is there any such db function as of now ?
As I mentioned: there is no implementation in any of the backends
shipped with MIT; you'll need to implement this yourself.
> If I understand it correctly from previous email exchanges
> constrained delegation should work on kdc side for MIT kerberos ?
The only db_invoke implementation presently is the (proprietary)
Novell DSfW backend.
More information about the krbdev