On Thu, 2014-02-20 at 22:36 +0100, Rick van Rein wrote: > Hello Simo, > > I had a look at the project page KerberosDelegationACL, and one thing struck > me as odd about the specification. > > * lack of AllowToImpersonate means ALL clients can be impersonated. > > This appears non-intuitive to me; moreover, treating the “zero case” in a > special way almost always leads to trouble, exceptions and security hazards. > If not in code, then it usually confuses the security admin or surrounding > scripts. > > I have no idea if this is too late, but the following follows IMHO a more > consistent / logical line while retaining expressiveness: > > * lack of the Krb5DelegationACL class means that NO access control > restrictions are applied > * lack of AllowToImpersonate means NO clients can be impersonated > * to impersonate ALL clients, use a suitable regex memberPrincipal > > > FWIW :)
Too late :-) In the default case you generally allow all in these situations. This compromise comes fro the fact that there is no real grouping mechanism in the KDC nor a way to experess the concept of "all", a regex would not really do it nuless you are thinking of ".*" We could change the code so that you have to add the literal "ALL" maybe, I am not opposed, and could easily migrate FreeIPA users to that syntax. Shawn, what do you think ? Simo. -- Simo Sorce * Red Hat, Inc * New York ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
