diff options
Diffstat (limited to 'src/include/kdb.h')
-rw-r--r-- | src/include/kdb.h | 48 |
1 files changed, 17 insertions, 31 deletions
diff --git a/src/include/kdb.h b/src/include/kdb.h index 5b5c132..c572f8b 100644 --- a/src/include/kdb.h +++ b/src/include/kdb.h @@ -322,16 +322,6 @@ extern char *krb5_mkey_pwd_prompt2; #define KRB5_DB_LOCKMODE_DONTBLOCK 0x0004 #define KRB5_DB_LOCKMODE_PERMANENT 0x0008 -/* db_invoke methods */ -#define KRB5_KDB_METHOD_CHECK_ALLOWED_TO_DELEGATE 0x00000080 - -typedef struct _kdb_check_allowed_to_delegate_req { - krb5_magic magic; - const krb5_db_entry *server; - krb5_const_principal proxy; - krb5_const_principal client; -} kdb_check_allowed_to_delegate_req; - /* libkdb.spec */ krb5_error_code krb5_db_setup_lib_handle(krb5_context kcontext); krb5_error_code krb5_db_open( krb5_context kcontext, char **db_args, int mode ); @@ -620,10 +610,10 @@ void krb5_db_audit_as_req(krb5_context kcontext, krb5_kdc_req *request, void krb5_db_refresh_config(krb5_context kcontext); -krb5_error_code krb5_db_invoke ( krb5_context kcontext, - unsigned int method, - const krb5_data *req, - krb5_data *rep ); +krb5_error_code krb5_db_check_allowed_to_delegate(krb5_context kcontext, + krb5_const_principal client, + const krb5_db_entry *server, + krb5_const_principal proxy); /* default functions. Should not be directly called */ /* @@ -1282,24 +1272,20 @@ typedef struct _kdb_vftabl { void (*refresh_config)(krb5_context kcontext); /* - * Optional: Perform an operation on input data req with output stored in - * rep. Return KRB5_PLUGIN_OP_NOTSUPP if the module does not implement the - * method. Defined methods are: - * - * KRB5_KDB_METHOD_CHECK_ALLOWED_TO_DELEGATE: req contains a - * kdb_check_allowed_to_delegate_req structure. Perform a policy check - * on server being allowed to obtain tickets from client to proxy. - * (Note that proxy is the target of the delegation, not the delegating - * service; the term "proxy" is from the viewpoint of the delegating - * service asking another service to perform some of its work in the - * authentication context of the client. This terminology comes from - * the Microsoft S4U protocol documentation.) Return 0 if policy - * allows it, or an appropriate error (such as KRB5KDC_ERR_POLICY) if - * not. If this method is not implemented, all S4U2Proxy delegation - * requests will be rejected. Do not place any data in rep. + * Optional: Perform a policy check on server being allowed to obtain + * tickets from client to proxy. (Note that proxy is the target of the + * delegation, not the delegating service; the term "proxy" is from the + * viewpoint of the delegating service asking another service to perform + * some of its work in the authentication context of the client. This + * terminology comes from the Microsoft S4U protocol documentation.) + * Return 0 if policy allows it, or an appropriate error (such as + * KRB5KDC_ERR_POLICY) if not. If this method is not implemented, all + * S4U2Proxy delegation requests will be rejected. */ - krb5_error_code (*invoke)(krb5_context context, unsigned int method, - const krb5_data *req, krb5_data *rep); + krb5_error_code (*check_allowed_to_delegate)(krb5_context context, + krb5_const_principal client, + const krb5_db_entry *server, + krb5_const_principal proxy); } kdb_vftabl; #endif /* !defined(_WIN32) */ |