On 10/03/2009, at 12:10 PM, Russ Allbery wrote: > "Loren M. Lang" <lor...@alzatex.com> writes: > >> Isn't a feature of Kerberos to be able to limit the powers that one >> delegates using proxiable tickets? If I understand correctly, it >> should >> be possible to delegate for the server to impersonate you only to the >> LDAP service on host ldap.example.com instead of forwarding your >> krbtgt. > > No, this is not a general feature of Kerberos implementations. It > may be > that Active Directory has support for this, however. Active > Directory has > some additional delegation control features that are not implemented > in > other versions of Kerberos. I don't know if you need to use > Microsoft's > Kerberos implementation on the client for this as well, if so.
W2K3 and above KDCs implement constrained delegation. The client and penultimate service need not change. The middle-tier services need library support for constrained delegation; I think only Windows has this (possibly Heimdal, but then I'm not sure whether it is exposed to GSS-API). -- Luke ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos