aboutsummaryrefslogtreecommitdiff
path: root/crypto/krb5/doc/plugindev/localauth.rst
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/krb5/doc/plugindev/localauth.rst')
-rw-r--r--crypto/krb5/doc/plugindev/localauth.rst43
1 files changed, 0 insertions, 43 deletions
diff --git a/crypto/krb5/doc/plugindev/localauth.rst b/crypto/krb5/doc/plugindev/localauth.rst
deleted file mode 100644
index 6f396a9c124e..000000000000
--- a/crypto/krb5/doc/plugindev/localauth.rst
+++ /dev/null
@@ -1,43 +0,0 @@
-.. _localauth_plugin:
-
-Local authorization interface (localauth)
-=========================================
-
-The localauth interface was first introduced in release 1.12. It
-allows modules to control the relationship between Kerberos principals
-and local system accounts. When an application calls
-:c:func:`krb5_kuserok` or :c:func:`krb5_aname_to_localname`, localauth
-modules are consulted to determine the result. For a detailed
-description of the localauth interface, see the header file
-``<krb5/localauth_plugin.h>``.
-
-A module can create and destroy per-library-context state objects
-using the **init** and **fini** methods. If the module does not need
-any state, it does not need to implement these methods.
-
-The optional **userok** method allows a module to control the behavior
-of :c:func:`krb5_kuserok`. The module receives the authenticated name
-and the local account name as inputs, and can return either 0 to
-authorize access, KRB5_PLUGIN_NO_HANDLE to defer the decision to other
-modules, or another error (canonically EPERM) to authoritatively deny
-access. Access is granted if at least one module grants access and no
-module authoritatively denies access.
-
-The optional **an2ln** method can work in two different ways. If the
-module sets an array of uppercase type names in **an2ln_types**, then
-the module's **an2ln** method will only be invoked by
-:c:func:`krb5_aname_to_localname` if an **auth_to_local** value in
-:ref:`krb5.conf(5)` refers to one of the module's types. In this
-case, the *type* and *residual* arguments will give the type name and
-residual string of the **auth_to_local** value.
-
-If the module does not set **an2ln_types** but does implement
-**an2ln**, the module's **an2ln** method will be invoked for all
-:c:func:`krb5_aname_to_localname` operations unless an earlier module
-determines a mapping, with *type* and *residual* set to NULL. The
-module can return KRB5_LNAME_NO_TRANS to defer mapping to later
-modules.
-
-If a module implements **an2ln**, it must also implement
-**free_string** to ensure that memory is allocated and deallocated
-consistently.