krb5 commit: Add GSSAPI name attribute documentation

Greg Hudson ghudson at mit.edu
Mon Jun 20 11:54:16 EDT 2016 

https://github.com/krb5/krb5/commit/af2442f04e408bfa04cbe2e317be982ec47af674
commit af2442f04e408bfa04cbe2e317be982ec47af674
Author: Matt Rogers <mrogers at redhat.com>
Date:   Thu May 12 21:20:17 2016 -0400

    Add GSSAPI name attribute documentation
    
    Also add a reference to the auth-indicator name attribute in
    auth_indicator.rst.
    
    [ghudson at mit.edu: edited for brevity and cross-referencing]
    
    ticket: 8425

 doc/admin/auth_indicator.rst |    4 ++++
 doc/appdev/gssapi.rst        |   22 ++++++++++++++++++++++
 2 files changed, 26 insertions(+), 0 deletions(-)

diff --git a/doc/admin/auth_indicator.rst b/doc/admin/auth_indicator.rst
index b70a8df..229a070 100644
--- a/doc/admin/auth_indicator.rst
+++ b/doc/admin/auth_indicator.rst
@@ -51,3 +51,7 @@ but a user who authenticates with a password would not::
     $ kvno host/high.value.server
     kvno: KDC policy rejects request while getting credentials for
       host/high.value.server at KRBTEST.COM
+
+GSSAPI server applications can inspect authentication indicators
+through the :ref:`auth-indicator <gssapi_authind_attr>` name
+attribute.
diff --git a/doc/appdev/gssapi.rst b/doc/appdev/gssapi.rst
index 05e4059..eafbb75 100644
--- a/doc/appdev/gssapi.rst
+++ b/doc/appdev/gssapi.rst
@@ -171,6 +171,26 @@ type which is mapped to a krb5 principal name, clients will only be
 allowed to authenticate to that principal in the default keytab.
 
 
+Name Attributes
+---------------
+
+In release 1.8 or later, the gss_inquire_name_ and
+gss_get_name_attribute_ functions, specified in :rfc:`6680`, can be
+used to retrieve name attributes from the *src_name* returned by
+gss_accept_sec_context_.  The following attributes are defined when
+the krb5 mechanism is used:
+
+.. _gssapi_authind_attr:
+
+* "auth-indicator" attribute:
+
+This attribute will be included in the gss_inquire_name_ output if the
+ticket contains :ref:`authentication indicators <auth_indicator>`.
+One indicator is returned per invocation of gss_get_name_attribute_,
+so multiple invocations may be necessary to retrieve all of the
+indicators from the ticket.  (New in release 1.15.)
+
+
 Importing and exporting credentials
 -----------------------------------
 
@@ -517,6 +537,8 @@ gss_get_mic_iov_length and gss_get_mic_iov::
 .. _gss_accept_sec_context: http://tools.ietf.org/html/rfc2744.html#section-5.1
 .. _gss_acquire_cred: http://tools.ietf.org/html/rfc2744.html#section-5.2
 .. _gss_export_name: http://tools.ietf.org/html/rfc2744.html#section-5.13
+.. _gss_get_name_attribute: http://tools.ietf.org/html/6680.html#section-7.5
 .. _gss_import_name: http://tools.ietf.org/html/rfc2744.html#section-5.16
 .. _gss_init_sec_context: http://tools.ietf.org/html/rfc2744.html#section-5.19
+.. _gss_inquire_name: http://tools.ietf.org/html/rfc6680.txt#section-7.4
 .. _gss_inquire_cred: http://tools.ietf.org/html/rfc2744.html#section-5.21

More information about the cvs-krb5 mailing list