mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
b035ac8eb9
FreeIPA Kerberos implementation already supports delegation of credentails, both unconstrained and constrained. Constrained delegation is an extension developed by Microsoft and documented in MS-SFU specification. MS-SFU specification also includes resource-based constrained delegation (RBCD) which FreeIPA did not support. Microsoft has decided to force use of RBCD for forest trust. This means that certain use-cases will not be possible anymore. This design document outlines approaches used by FreeIPA for constrained delegation implementation, including RBCD. Fixes: https://pagure.io/freeipa/issue/9354 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>