[19961] in Kerberos_V5_Development
Proposed libkrb5 APIs for name attributes
daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed Jul 31 18:37:32 2019
From: Greg Hudson <ghudson@mit.edu>
To: <krbdev@mit.edu>
Date: Wed, 31 Jul 2019 18:37:06 -0400
Message-ID: <x7d36ilq19p.fsf@mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
Right now a GSS server application can get access to PAC information and
auth indicators using the RFC 6680 APIs (such as
gss_get_name_attribute()) on the src_name returned by
gss_accept_sec_context().
The libkrb5 interfaces used to implement these APIs are private:
krb5_auth_con_get_authdata_context() to get a krb5_authdata_context (a
private type) and then a set of functions like
krb5_authdata_get_attribute().
I understand that Samba needs to access auth indicators in a non-GSS
server application. Rather than bring the whole set of
krb5_authdata_context interfaces into the public API, I am inclined to
add just one or two new auth context APIs:
krb5_error_code KRB5_CALLCONV
krb5_auth_con_get_attribute(krb5_context context,
krb5_auth_context auth_context,
const krb5_data *attribute,
krb5_boolean *authenticated,
krb5_boolean *complete, krb5_data *value,
krb5_data *display_value, int *more);
and maybe:
krb5_error_code KRB5_CALLCONV
krb5_auth_con_get_attribute_types(krb5_context context,
krb5_auth_context auth_context,
krb5_data **attrs);
void KRB5_CALLCONV
krb5_free_data_list(krb5_context context, krb5_data *list);
But first I'd like to confirm that these would be sufficient.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
