Kerberos/GSSAPI credentials delegation/ticket fowarding
AiO
aio.sasl at aio.nu
Tue Oct 16 05:00:45 EDT 2018
Hello all,
I'm trying to figure out how to make Cyrus SASL handle
Kerberos ticket delegation. I have read the mailing lists and the
information is a bit thin on this topic. I saw that Morten and Rob had
discussions about it back int 2003. And also S4U2 was discussed at some
point between Howard and Alexey back in 2010.
I am looking to be able to pass user identity to services behind a
front-service - Much like Apache is able to do with mod_auth_kerb or
mod_auth_gssapi. To maintain the user identity for accessing for example
databases and such in a larger ecosystem of services. Or OpenSSH is able
to do delegation. In both Apache and OpenSSHD there are additional
configuration parameters to GSSAPI... Can the Cyrus SASL library be used
in the same manner? (Given that the KDC and service policies are
configured correctly, either unconstrained delegation or S4U2 delegation)
Play with the idea that I want to write an IMAP server that stores its
data in a PostgreSQL database, and I want to restrict users access to
various parts of the database using the built-in ACL's to secure the
stored data. In this example; authentication on to IMAP using GSSAPI and a
previously received ticket and then delegation of credentials achieve full
single-sign-on authentication and authorization to the data.
In my case I have a Qpid Proton AMQP serice. I have managed to get GSSAPI
single-sign-on working to it using Cyrus SASL (libsasl) that is linked
with Qpid Proton. This is all good and totally AWESOME! However. How on
earth do I convince the libsasl-process instance to impersonate the user
when accessing other kerberized services. Yes as users. Not
service-service.
Is there something additional that can be added to the
/etc/sasl2/<service>.conf file that might convince the GSSAPI-parts of
SASL to do this automagically? I'm a bit lost, currently. I hope to find
someone here that know how to do this wizardry. :) Thanks in advance!
Kind regards,
AiO
More information about the Cyrus-sasl
mailing list