All, I am building an application that uses Kerberos internally to authenticate usage of back end resources. In a move to improve internal auditing I'd like to use proxy tickets to handle delegation of rights from a user to an intermediary service. Specifically I'd like to delegate LDAP access to a web application for a user.
The plan is that the user's agent will generate a proxiable LDAP ticket that it hands to the web application. The web application (implmented in J2EE using JSPs and EJBs) will then generate the required authenticators to connection to LDAP when required. Whilst I believe this is how it should work in theory, I am lost as to how to implement this in practice. Specifically, I am not sure exactly what should be passed from the client to the web application... rfc1510 talks about passing the "proxy", but does not define what this is? Is it the TGS REPLY, or is it the underlying ticket? Has anyone done anything like this? The Kerberos FAQ says that proxiable tickets are not often used. Can anyone point me towards information of programming for proxiable tickets? I am using jKrb5 (the java-kerberos library) to prototype the interactions. Is there a better solution? Thanks, Frank Taylor. ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
