Hello Simo, I had a look at the project page KerberosDelegationACL, and one thing struck me as odd about the specification.
* lack of AllowToImpersonate means ALL clients can be impersonated. This appears non-intuitive to me; moreover, treating the “zero case” in a special way almost always leads to trouble, exceptions and security hazards. If not in code, then it usually confuses the security admin or surrounding scripts. I have no idea if this is too late, but the following follows IMHO a more consistent / logical line while retaining expressiveness: * lack of the Krb5DelegationACL class means that NO access control restrictions are applied * lack of AllowToImpersonate means NO clients can be impersonated * to impersonate ALL clients, use a suitable regex memberPrincipal FWIW :) Cheers, -Rick ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
