diff options
Diffstat (limited to 'crypto/krb5/doc/plugindev/localauth.rst')
| -rw-r--r-- | crypto/krb5/doc/plugindev/localauth.rst | 43 |
1 files changed, 0 insertions, 43 deletions
diff --git a/crypto/krb5/doc/plugindev/localauth.rst b/crypto/krb5/doc/plugindev/localauth.rst deleted file mode 100644 index 6f396a9c124e..000000000000 --- a/crypto/krb5/doc/plugindev/localauth.rst +++ /dev/null @@ -1,43 +0,0 @@ -.. _localauth_plugin: - -Local authorization interface (localauth) -========================================= - -The localauth interface was first introduced in release 1.12. It -allows modules to control the relationship between Kerberos principals -and local system accounts. When an application calls -:c:func:`krb5_kuserok` or :c:func:`krb5_aname_to_localname`, localauth -modules are consulted to determine the result. For a detailed -description of the localauth interface, see the header file -``<krb5/localauth_plugin.h>``. - -A module can create and destroy per-library-context state objects -using the **init** and **fini** methods. If the module does not need -any state, it does not need to implement these methods. - -The optional **userok** method allows a module to control the behavior -of :c:func:`krb5_kuserok`. The module receives the authenticated name -and the local account name as inputs, and can return either 0 to -authorize access, KRB5_PLUGIN_NO_HANDLE to defer the decision to other -modules, or another error (canonically EPERM) to authoritatively deny -access. Access is granted if at least one module grants access and no -module authoritatively denies access. - -The optional **an2ln** method can work in two different ways. If the -module sets an array of uppercase type names in **an2ln_types**, then -the module's **an2ln** method will only be invoked by -:c:func:`krb5_aname_to_localname` if an **auth_to_local** value in -:ref:`krb5.conf(5)` refers to one of the module's types. In this -case, the *type* and *residual* arguments will give the type name and -residual string of the **auth_to_local** value. - -If the module does not set **an2ln_types** but does implement -**an2ln**, the module's **an2ln** method will be invoked for all -:c:func:`krb5_aname_to_localname` operations unless an earlier module -determines a mapping, with *type* and *residual* set to NULL. The -module can return KRB5_LNAME_NO_TRANS to defer mapping to later -modules. - -If a module implements **an2ln**, it must also implement -**free_string** to ensure that memory is allocated and deallocated -consistently. |