On Wed, 2014-02-19 at 09:28 +0100, Rick van Rein wrote: > Hello, > > I’m trying to understand how to configure Constrained Delegation in the KDC. > I think I got the GSSAPI client side part, notably S4U2Proxy, but I can only > seem to find proxy / proxiable flags in the KDC setup. And these don’t have > undisputably clear semantics, from what I’ve read. > > Let’s say I want to setup webmail.example.com with permissions to access > LDAP, IMAP and SMTP; however, sendmail.example.com can only access SMTP and > contacts.example.com can only access LDAP; schematically: > > HTTP/webmail.example.com —> ldap/ldap.example.com > HTTP/webmail.example.com —> imap/imap.example.com > HTTP/webmail.example.com —> smtp/smtp.example.com > HTTP/sendmail.example.com —> smtp/smtp.example.com > HTTP/contacts.example.com —> ldap/ldap.example.com > > How would I setup these delegations, and only these delegations, with MIT > Kerberos5?
Hi Rick, it is not currently really possible with Standard MIT. I have introduced a mechanism to handle this in the FreeIPA project (where we build our own DAL) and with Shawn we are working on bringing this to the standard MIT LDAP driver. Se the project page here: http://k5wiki.kerberos.org/wiki/Projects/KerberosDelegationACL If you want to help with this effort there is some work to do to implement thi in the current MIT LDAP code. Simo. -- Simo Sorce * Red Hat, Inc * New York ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
