diff options
| author | Greg Hudson <ghudson@mit.edu> | 2010-07-08 23:34:35 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2010-07-08 23:34:35 +0000 |
| commit | e220a6288b10e1f9280e8aa2cb18ad56391e0a45 (patch) | |
| tree | b052d1e6cb8a61ad28acf1a246fae3e808ba1530 /src/include | |
| parent | eb75acd30b4bee1124174c8ba5740a7ad1c97ba4 (diff) | |
| download | krb5-e220a6288b10e1f9280e8aa2cb18ad56391e0a45.zip krb5-e220a6288b10e1f9280e8aa2cb18ad56391e0a45.tar.gz krb5-e220a6288b10e1f9280e8aa2cb18ad56391e0a45.tar.bz2 | |
Create a KRB5_KDB_FLAG_ALIAS_OK to control whether plugin modules
should return in-realm aliases. Set it where appropriate, and use it
in the LDAP module instead of intuiting the result based on other
flags.
ticket: 6749
status: open
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24178 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/include')
| -rw-r--r-- | src/include/kdb.h | 24 |
1 files changed, 14 insertions, 10 deletions
diff --git a/src/include/kdb.h b/src/include/kdb.h index a03361e..49d77aa 100644 --- a/src/include/kdb.h +++ b/src/include/kdb.h @@ -130,6 +130,8 @@ #define KRB5_KDB_FLAG_USER_TO_USER 0x00000800 /* Cross-realm */ #define KRB5_KDB_FLAG_CROSS_REALM 0x00001000 +/* Allow in-realm aliases */ +#define KRB5_KDB_FLAG_ALIAS_OK 0x00002000 #define KRB5_KDB_FLAGS_S4U ( KRB5_KDB_FLAG_PROTOCOL_TRANSITION | \ KRB5_KDB_FLAG_CONSTRAINED_DELEGATION ) @@ -913,19 +915,17 @@ typedef struct _kdb_vftabl { * db_get_principal): * * KRB5_KDB_FLAG_CANONICALIZE: Set by the KDC when looking up entries for - * an AS or TGS request with canonicalization requested. Affects - * whether the module should return out-of-realm referrals and aliases - * (see below). + * an AS or TGS request with canonicalization requested. Determines + * whether the module should return out-of-realm referrals. * - * KRB5_KDB_INCLUDE_PAC: Set by the KDC during an AS request when the + * KRB5_KDB_FLAG_INCLUDE_PAC: Set by the KDC during an AS request when the * client requested PAC information during padata, and during most TGS * requests. Indicates that the module should include PAC information * when generating authorization data. * * KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY: Set by the KDC when looking up the * client entry in an AS request. Affects how the module should return - * out-of-realm referrals and whether the module should return in-realm - * aliases (see below). + * out-of-realm referrals. * * KRB5_KDB_FLAG_MAP_PRINCIPALS: Set by the KDC when looking up the client * entry during TGS requests, except for S4U TGS requests and requests @@ -946,10 +946,14 @@ typedef struct _kdb_vftabl { * during a TGS request, if the client principal is not part of the * realm being served. * - * A module can return in-realm aliases if KRB5_KDB_FLAG_CANONICALIZE is - * set, or if KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY is not set (because - * aliases are always okay for TGS requests). To return an in-realm alias, - * fill in a different value for entries->princ than the one requested. + * KRB5_KDB_FLAG_ALIAS_OK: Set by the KDC for server principal lookups and + * for AS request client principal lookups with canonicalization + * requested; also set by the admin interface. Determines whether the + * module should return in-realm aliases. + * + * A module can return in-realm aliases if KRB5_KDB_FLAG_ALIAS_OK is set. + * To return an in-realm alias, fill in a different value for + * entries->princ than the one requested. * * A module can return out-of-realm referrals if KRB5_KDB_FLAG_CANONICALIZE * is set. For AS request clients (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY is |