Setting Kerberos delegation on AD user account from Linux via Active Roles

Hello

I am wondering if anyone has a solution or ideas on how to use Active Roles to set values for msds-AllowedToDelegateTo attributes (used in Kerberos Delegations ) for an 3rd party application's Active Directory Service account - setting the values on its own SELF account. We want to be able to automate this from Linux host (RHEL7) where we are also using VAS. We would like to avoid allowing Privilege on AD DCs of "Enable computer and user accounts to be trusted for delegation" to the 3rd party app's AD account, but we are ok to allow this via the AR override account.

On Windows I could consider using the MSI install of the ADSI components, but don't know I have this option for the Linux host. I'd like to be able to help the other team finding a scripted on RHEL7 solution but not sure what options might be possible here.

Thanks

Top Replies

Parents
  • Hi  

    I am not aware of any Active Roles ADSI components available for Linux.

    In terms of the msDS-AllowToDelegatedTo attribute, are you expecting an application (on Linux) to get this, or is it going to be some Adminsitrator from Linux (WI the web interface)?

    If its just view the WI, you could expose the msDS-AllowedToDelegatedTo attribute in a custom form, and restricted it to certain users, and just create an AT which grants access to write those attribtues. 

    However its not 100% clear what you're trying to do and where from.

    Kind regards

    Stu

  • Hi Stu

    We want the application team to be able to update the values of a service account by some means from RHEL. Since I posted this we have had progress, and using python they have been able to send almost templated SPML to our Active Roles servers to update the values. We have setup Access template Links in AR to allow writing to these attributes

  • Thanks  

    Nice option, yes as long as the SPML schema files include the appropriate attribute you want to changed, you can do it via that.

    This won't help you now, but may help you in future. It was announced at vUnite that a RestAPI servers is being released for Active Roles (https://www.youtube.com/watch?v=VI6v5C1cWSQ), which might be better for you in future (if you've only installed the SPML provider just for this task).

    If there any thing else you needed assistance with?

Reply Children