Question on PAC and principal APIs project
Natalie.Li at Sun.COM
Wed Feb 11 14:51:48 EST 2009
That's very helpful. Thanks Sam!
Sam Hartman wrote:
>>>>>> "Natalie" == Natalie Li <Natalie.Li at Sun.COM> writes:
> Natalie> Sam Hartman wrote:
> >> Note that there is also a mechanism to extract authorization
> >> data from a GSS-API context.
> Natalie> I'm not too familiar with the MIT codebase. Could you
> Natalie> please point me to the relevant source code?
> Natalie> Thanks,
> OM_uint32 KRB5_CALLCONV
> gsskrb5_extract_authz_data_from_sec_context(OM_uint32 *minor_status,
> const gss_ctx_id_t context_handle,
> int ad_type,
> gss_buffer_t ad_data);
> will pull the authorization data out of a context.
> You'd need to pull out ad-if-relevant
> and then use
> krb5_error_code KRB5_CALLCONV
> krb5_decode_authdata_container(krb5_context context,
> krb5_authdatatype type,
> const krb5_authdata *container,
> krb5_authdata ***authdata);
> to pull appart the container.
> You can then pass the PAC into the APIs described in the project.
> Yes, that should be made a bit cleaner. There should be a utility
> function to help. If you have the time and want to propose such a
> utility that would be an excellent contribution to the project, although discussing the interface may take a bit of time.
> If you just want to get work done, that's OK too:-)
More information about the krbdev