Delegation and Moonshot

Russ Allbery rra at
Mon Apr 4 13:23:12 EDT 2011

Luke Howard <lukeh at> writes:

> With the example you give, you might be interested in an OpenLDAP ACL
> plugin we've developed that lets you use GSS attribute value assertions
> - eg from a SAML assertion - as authorization subjects.

Yeah, that's a good idea -- thank you.

Also, thank you to Nico -- I hadn't thought about impersonation without
delegation thoroughly enough.

Russ Allbery (rra at             <>

More information about the krbdev mailing list