directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Karasulu <>
Subject Re: [Kerberos] Constrained Delegation Support?
Date Wed, 23 Sep 2009 00:05:55 GMT
On Wed, Sep 23, 2009 at 3:01 AM, Marc Boorshtein <>wrote:

> On Tue, Sep 22, 2009 at 7:50 PM, Alex Karasulu <>wrote:
>> No we really have not but its not so hard to do I think.  We just need to
>> add the A2D2 attribute to the schema and enable some authorization checks in
>> the KDC to make sure it constrains the service tickets the KDC grants to
>> service accounts based on the contents of this attribute.  Not hard hat all
>> to do I think.
> Well I'll be honest I have no idea how to implement s4u2self and s4u2proxy
> but I will say that IF you guys decide to implement it (which I think would
> be really cool) I can say that what we did run into in our deployment was
> that constrained delegation didn't work well with cross forest trusts where
> a user is in one forest and the device generating and consuming the tickets
> are in a seperate forest.  The commercial product did not work at all.
> Should you guys want to implement I can setup a scenario that would
> reproduce what I saw.

I thought KCD did not work across forests/domains but I'm reaching here so
double check me.  I'm itching to get all over these Kerberos features myself
but have had no time as usual to get deep into them.  Hopefully we can
fullfil some of our critical needs on the LDAP side and move on to frolic
around in the Kerberos side for a while.


Alex Karasulu
My Blog ::
Apache Directory Server ::
Apache MINA ::

View raw message