Right now there is a way to say that HTTP is allowed to request tickets for LDAP on user behalf. But it uses a generic delegation mechanism. Is we move forward we expect more s4u2proxy based solutions and services. We need to be prepared to deal with more granular access control requirements in this case.
The ACL data is stored in the special entries. Current use cases do not require limiting s4u2proxy by user groups but there are some future cases where this might be needed.
Also see #3642. It might be that we just limit the access of the principal to the service itself (by group) and prevent getting to the service itself rather than restricting delegation, but may be we would have to do both.
This is already implemented through the ipaAllowToImpersonate attribute. In the default policy used for ipa's own HTTP server we do not set it as not setting this attribute means 'ANY'. The attribute can be a group DN and has the same semantics of ipaAllowedTarget.
Metadata Update from @dpal: - Issue assigned to someone - Issue set to the milestone: Ticket Backlog
Login to comment on this ticket.