Proposed libkrb5 APIs for name attributes
Greg Hudson
ghudson at mit.edu
Wed Jul 31 18:37:06 EDT 2019
Right now a GSS server application can get access to PAC information and
auth indicators using the RFC 6680 APIs (such as
gss_get_name_attribute()) on the src_name returned by
gss_accept_sec_context().
The libkrb5 interfaces used to implement these APIs are private:
krb5_auth_con_get_authdata_context() to get a krb5_authdata_context (a
private type) and then a set of functions like
krb5_authdata_get_attribute().
I understand that Samba needs to access auth indicators in a non-GSS
server application. Rather than bring the whole set of
krb5_authdata_context interfaces into the public API, I am inclined to
add just one or two new auth context APIs:
krb5_error_code KRB5_CALLCONV
krb5_auth_con_get_attribute(krb5_context context,
krb5_auth_context auth_context,
const krb5_data *attribute,
krb5_boolean *authenticated,
krb5_boolean *complete, krb5_data *value,
krb5_data *display_value, int *more);
and maybe:
krb5_error_code KRB5_CALLCONV
krb5_auth_con_get_attribute_types(krb5_context context,
krb5_auth_context auth_context,
krb5_data **attrs);
void KRB5_CALLCONV
krb5_free_data_list(krb5_context context, krb5_data *list);
But first I'd like to confirm that these would be sufficient.
More information about the krbdev
mailing list