logo_kerberos.gif

Projects/SignedPathNamingExts

From K5Wiki
< Projects
Revision as of 12:21, 8 May 2010 by Lukeh (talk | contribs) (New page: {{project-rel|1.9}} ==Background== Implement a mechanism for exposing the constrained delegation transited services path via GSS naming extensions. ==Architecture== ==Implementation== ...)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
This project was completed in release 1.9.


Background

Implement a mechanism for exposing the constrained delegation transited services path via GSS naming extensions.

Architecture

Implementation

A new authorization data naming extensions backend is added in src/lib/krb5/krb/s4u_authdata.c. This maps the "delegated" member of krb5_ad_signedpath (KRB5_AUTHDATA_SIGNTICKET) to the urn:constrained-delegation:transited-services attribute.

No support for the transited services encoding in [MS-PAC] is yet provided, because that would require an NDR interpreter within the krb5 runtime. This would be more suitably implemented as a third-party plugin.

Status

Code is in the users/lhoward/signedpath-naming-exts branch.

Retrieved from "https://k5wiki.kerberos.org./wiki?title=Projects/SignedPathNamingExts&oldid=3273"