A patch to support S4U2proxy in db2 module

Greg Hudson ghudson at MIT.EDU
Thu Jul 5 05:59:40 EDT 2012

Hi, Weijun.  I'm responding to krbdev at mit.edu rather than
kerberos at mit.edu, since the latter list is about usage of various
Kerberos implementations rather than development of MIT krb5.

I think this is generally a good idea, but have a few notes:

* I'm not sure at this point whether this should be a db2-specific
feature (since the LDAP back end already has a variant of this using the
AllowedToDelegateTo attribute) or if it should be in the KDC code and
apply to all back ends (so a delegation is allowed if the string
attribute allows it or if the KDB module allows it).

* A surprising (to me) number of new feature ideas have proposed to make
use of string attributes.  We may want to implement an attribute
validation facility before we adopt too many of these.

* Although the feature implementation itself is small, we'll want to
have a design writeup, automated tests, and documentation changes in
order to adopt it.

At any rate, thanks!

On 07/03/2012 05:11 AM, Weijun Wang wrote:
> Hi All
> I'm playing with MIT krb5's S4U2proxy feature, but the db2 backend does
> not implement the check_allowed_to_delegate callback.
> Here is a patch for it. It makes use of the "allowed_to_delegate_to"
> string attribute. The value can be either "*", "s1", or "s1 s2".
> I haven't written a lot of C codes in the past few years, so there might
> be some coding errors.
> Thanks
> Weijun
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the krbdev mailing list