Commit Graph

3 Commits

Author SHA1 Message Date
Alexander Bokovoy
0bf0b2d251 doc/designs/rbcd.md: document use of S-1-18-* SIDs
Fixes: https://pagure.io/freeipa/issue/9354

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-04-05 14:55:22 -04:00
Alexander Bokovoy
667b82a870 doc/designs/rbcd.md: add usage examples
Fixes: https://pagure.io/freeipa/issue/9354

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-04-05 14:55:22 -04:00
Alexander Bokovoy
b035ac8eb9 doc: add design document for Kerberos constrained delegation
FreeIPA Kerberos implementation already supports delegation of
credentails, both unconstrained and constrained. Constrained delegation
is an extension developed by Microsoft and documented in MS-SFU
specification. MS-SFU specification also includes resource-based
constrained delegation (RBCD) which FreeIPA did not support.

Microsoft has decided to force use of RBCD for forest trust. This means
that certain use-cases will not be possible anymore.

This design document outlines approaches used by FreeIPA for constrained
delegation implementation, including RBCD.

Fixes: https://pagure.io/freeipa/issue/9354

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-04-05 14:55:22 -04:00