Does MIT Kerberos KDC supports Constrained Delegation natively

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Does MIT Kerberos KDC supports Constrained Delegation natively

Yu Yu
Dear friends,

Might I ask if MIT Kerberos KDC supports Constrained Delegation (S4U2Self
and S4U2Proxy) feature natively, or if additional back-end (for example,
LDAP) required for it?
I am new to Kerberos area, and could not find any documentation about this.
Please kindly let me know if the mail does not conform to the mail list
policy.
Thanks all in advance!

Regards,
Jonathan
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Does MIT Kerberos KDC supports Constrained Delegation natively

Greg Hudson
On 08/02/2017 07:43 AM, Yu Yu wrote:
> Might I ask if MIT Kerberos KDC supports Constrained Delegation (S4U2Self
> and S4U2Proxy) feature natively, or if additional back-end (for example,
> LDAP) required for it?

The LDAP KDB module (which is still technically "native") is required to
configure constrained delegation permissions in the KDC.

One configures them by setting "krbAllowedToDelegateTo" attribute values
on the intermediate principal LDAP entry, where each value is an allowed
target service principal name.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Loading...