On Wed, 19 Feb 2014, Rick van Rein wrote:
Hello,I’m trying to understand how to configure Constrained Delegation in the KDC. I think I got the GSSAPI client side part, notably S4U2Proxy, but I can only seem to find proxy / proxiable flags in the KDC setup. And these don’t have undisputably clear semantics, from what I’ve read. Let’s say I want to setup webmail.example.com with permissions to access LDAP, IMAP and SMTP; however, sendmail.example.com can only access SMTP and contacts.example.com can only access LDAP; schematically: HTTP/webmail.example.com —> ldap/ldap.example.com HTTP/webmail.example.com —> imap/imap.example.com HTTP/webmail.example.com —> smtp/smtp.example.com HTTP/sendmail.example.com —> smtp/smtp.example.com HTTP/contacts.example.com —> ldap/ldap.example.com How would I setup these delegations, and only these delegations, with MIT Kerberos5?
http://k5wiki.kerberos.org/wiki/Projects/ConstrainedDelegation notes that there is a krbAllowedToDelegateTo attribute that can be set in LDAP (manually) to limit delegation.
I don't think I have an actual example handy. -Ben Kaduk
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos