From: Matt Rogers Date: Fri, 13 May 2016 01:20:17 +0000 (-0400) Subject: Add GSSAPI name attribute documentation X-Git-Tag: krb5-1.15-beta1~167 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=af2442f04e408bfa04cbe2e317be982ec47af674;p=thirdparty%2Fkrb5.git Add GSSAPI name attribute documentation Also add a reference to the auth-indicator name attribute in auth_indicator.rst. [ghudson@mit.edu: edited for brevity and cross-referencing] ticket: 8425 --- diff --git a/doc/admin/auth_indicator.rst b/doc/admin/auth_indicator.rst index b70a8dfc53..229a0708a4 100644 --- a/doc/admin/auth_indicator.rst +++ b/doc/admin/auth_indicator.rst @@ -51,3 +51,7 @@ but a user who authenticates with a password would not:: $ kvno host/high.value.server kvno: KDC policy rejects request while getting credentials for host/high.value.server@KRBTEST.COM + +GSSAPI server applications can inspect authentication indicators +through the :ref:`auth-indicator ` name +attribute. diff --git a/doc/appdev/gssapi.rst b/doc/appdev/gssapi.rst index 05e4059f26..eafbb75f89 100644 --- a/doc/appdev/gssapi.rst +++ b/doc/appdev/gssapi.rst @@ -171,6 +171,26 @@ type which is mapped to a krb5 principal name, clients will only be allowed to authenticate to that principal in the default keytab. +Name Attributes +--------------- + +In release 1.8 or later, the gss_inquire_name_ and +gss_get_name_attribute_ functions, specified in :rfc:`6680`, can be +used to retrieve name attributes from the *src_name* returned by +gss_accept_sec_context_. The following attributes are defined when +the krb5 mechanism is used: + +.. _gssapi_authind_attr: + +* "auth-indicator" attribute: + +This attribute will be included in the gss_inquire_name_ output if the +ticket contains :ref:`authentication indicators `. +One indicator is returned per invocation of gss_get_name_attribute_, +so multiple invocations may be necessary to retrieve all of the +indicators from the ticket. (New in release 1.15.) + + Importing and exporting credentials ----------------------------------- @@ -517,6 +537,8 @@ gss_get_mic_iov_length and gss_get_mic_iov:: .. _gss_accept_sec_context: http://tools.ietf.org/html/rfc2744.html#section-5.1 .. _gss_acquire_cred: http://tools.ietf.org/html/rfc2744.html#section-5.2 .. _gss_export_name: http://tools.ietf.org/html/rfc2744.html#section-5.13 +.. _gss_get_name_attribute: http://tools.ietf.org/html/6680.html#section-7.5 .. _gss_import_name: http://tools.ietf.org/html/rfc2744.html#section-5.16 .. _gss_init_sec_context: http://tools.ietf.org/html/rfc2744.html#section-5.19 +.. _gss_inquire_name: http://tools.ietf.org/html/rfc6680.txt#section-7.4 .. _gss_inquire_cred: http://tools.ietf.org/html/rfc2744.html#section-5.21