Constrained Delegation with certificate and GSS API
Greg Hudson
ghudson at mit.edu
Wed May 6 00:46:21 EDT 2020
On 5/6/20 12:25 AM, Puran Chand wrote:> I was wondering if there is
similar API to perform same with
> user-certificate this time instead of UPN.
> I hope it should send a AS-REQ with PA-DATA P4-S4U-X509-USER with
> certificate (with my limited knowledge).
There isn't yet. Release 1.18 included a lot of work on the internals,
as well as a kvno option (-F), but we haven't added any API for this
operation yet. There is a work-in-progress pull request from Isaac
Boukris here:
https://github.com/krb5/krb5/pull/1063
There may be alternative designs for the API; for instance, we could
perhaps instead define a new name type and use
gss_acquire_cred_impersonate_name().
More information about the krbdev
mailing list