On Wed, Sep 23, 2009 at 3:01 AM, Marc Boorshtein <[email protected]>wrote:
> On Tue, Sep 22, 2009 at 7:50 PM, Alex Karasulu <[email protected]>wrote: > >> No we really have not but its not so hard to do I think. We just need to >> add the A2D2 attribute to the schema and enable some authorization checks in >> the KDC to make sure it constrains the service tickets the KDC grants to >> service accounts based on the contents of this attribute. Not hard hat all >> to do I think. >> >> > Well I'll be honest I have no idea how to implement s4u2self and s4u2proxy > but I will say that IF you guys decide to implement it (which I think would > be really cool) I can say that what we did run into in our deployment was > that constrained delegation didn't work well with cross forest trusts where > a user is in one forest and the device generating and consuming the tickets > are in a seperate forest. The commercial product did not work at all. > Should you guys want to implement I can setup a scenario that would > reproduce what I saw. > I thought KCD did not work across forests/domains but I'm reaching here so double check me. I'm itching to get all over these Kerberos features myself but have had no time as usual to get deep into them. Hopefully we can fullfil some of our critical needs on the LDAP side and move on to frolic around in the Kerberos side for a while. Cheers, Alex -- Alex Karasulu My Blog :: http://www.jroller.com/akarasulu/ Apache Directory Server :: http://directory.apache.org Apache MINA :: http://mina.apache.org
