between Kerberos principals and local system accounts. The following
built-in modules exist for this interface:
-**auth_to_local**
- This module processes **auth_to_local** values in the default
- realm's section, and applies the default method if no
- **auth_to_local** values exist.
-
-**an2ln**
- This module authorizes a principal to a local account if the
- principal name maps to the local account name.
-
**default**
This module implements the **DEFAULT** type for **auth_to_local**
values.
-**k5login**
- This module authorizes a principal to a local account according to
- the account's :ref:`.k5login(5)` file.
+**rule**
+ This module implements the **RULE** type for **auth_to_local**
+ values.
**names**
This module looks for an **auth_to_local_names** mapping for the
principal name.
-**rule**
- This module implements the **RULE** type for **auth_to_local**
- values.
+**auth_to_local**
+ This module processes **auth_to_local** values in the default
+ realm's section, and applies the default method if no
+ **auth_to_local** values exist.
+
+**k5login**
+ This module authorizes a principal to a local account according to
+ the account's :ref:`.k5login(5)` file.
+
+**an2ln**
+ This module authorizes a principal to a local account if the
+ principal name maps to the local account name.
PKINIT options
If the module does not set **an2ln_types** but does implement
**an2ln**, the module's **an2ln** method will be invoked for all
-:c:func:`krb5_aname_to_localname` operations before the built-in
-mechanisms are applied, with *type* and *residual* set to NULL. The
-module can return KRB5_LNAME_NO_TRANS to defer mapping to the built-in
-mechanisms.
+:c:func:`krb5_aname_to_localname` operations unless an earlier module
+determines a mapping, with *type* and *residual* set to NULL. The
+module can return KRB5_LNAME_NO_TRANS to defer mapping to later
+modules.
If a module implements **an2ln**, it must also implement
**free_string** to ensure that memory is allocated and deallocated
return 0;
}
-/* If mod is in list, move it to the back. */
-static void
-move_to_back(krb5_plugin_initvt_fn *list, krb5_plugin_initvt_fn mod)
-{
- for (; *list != NULL && *list != mod; list++);
- if (*list == NULL)
- return;
- for (; *list != NULL; list++)
- *list = *(list + 1);
- *(list - 1) = mod;
-}
-
/* Get the registered localauth modules including all built-in modules, in the
* proper order. */
static krb5_error_code
*modules_out = NULL;
/* Register built-in modules. */
- ret = k5_plugin_register(context, intf, "auth_to_local",
- localauth_auth_to_local_initvt);
+ ret = k5_plugin_register(context, intf, "default",
+ localauth_default_initvt);
if (ret)
return ret;
- ret = k5_plugin_register(context, intf, "names", localauth_names_initvt);
+ ret = k5_plugin_register(context, intf, "rule", localauth_rule_initvt);
if (ret)
return ret;
- ret = k5_plugin_register(context, intf, "default",
- localauth_default_initvt);
+ ret = k5_plugin_register(context, intf, "names", localauth_names_initvt);
if (ret)
return ret;
- ret = k5_plugin_register(context, intf, "rule", localauth_rule_initvt);
+ ret = k5_plugin_register(context, intf, "auth_to_local",
+ localauth_auth_to_local_initvt);
if (ret)
return ret;
ret = k5_plugin_register(context, intf, "k5login",
if (ret)
return ret;
- /* Move built-in userok and untyped an2ln localauth modules to back so we
- * try loaded modules first. */
- move_to_back(*modules_out, localauth_names_initvt);
- move_to_back(*modules_out, localauth_auth_to_local_initvt);
- move_to_back(*modules_out, localauth_k5login_initvt);
- move_to_back(*modules_out, localauth_an2ln_initvt);
-
return 0;
}
projects / thirdparty / krb5.git / commitdiff
