"Loren M. Lang" <[email protected]> writes: > Isn't a feature of Kerberos to be able to limit the powers that one > delegates using proxiable tickets? If I understand correctly, it should > be possible to delegate for the server to impersonate you only to the > LDAP service on host ldap.example.com instead of forwarding your krbtgt.
No, this is not a general feature of Kerberos implementations. It may be that Active Directory has support for this, however. Active Directory has some additional delegation control features that are not implemented in other versions of Kerberos. I don't know if you need to use Microsoft's Kerberos implementation on the client for this as well, if so. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
