Question on PAC and principal APIs project
Sam Hartman
hartmans at MIT.EDU
Wed Feb 11 08:24:53 EST 2009
>>>>> "Natalie" == Natalie Li <Natalie.Li at Sun.COM> writes:
Natalie> Sam Hartman wrote:
>> Note that there is also a mechanism to extract authorization
>> data from a GSS-API context.
>>
Natalie> I'm not too familiar with the MIT codebase. Could you
Natalie> please point me to the relevant source code?
Natalie> Thanks,
OM_uint32 KRB5_CALLCONV
gsskrb5_extract_authz_data_from_sec_context(OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
int ad_type,
gss_buffer_t ad_data);
(gssapi_krb5.h)
will pull the authorization data out of a context.
You'd need to pull out ad-if-relevant
and then use
krb5_error_code KRB5_CALLCONV
krb5_decode_authdata_container(krb5_context context,
krb5_authdatatype type,
const krb5_authdata *container,
krb5_authdata ***authdata);
to pull appart the container.
You can then pass the PAC into the APIs described in the project.
Yes, that should be made a bit cleaner. There should be a utility
function to help. If you have the time and want to propose such a
utility that would be an excellent contribution to the project, although discussing the interface may take a bit of time.
If you just want to get work done, that's OK too:-)
More information about the krbdev
mailing list