summaryrefslogtreecommitdiff
path: root/doc/html/plugindev/kadm5_auth.html
diff options
context:
space:
mode:
Diffstat (limited to 'doc/html/plugindev/kadm5_auth.html')
-rw-r--r--doc/html/plugindev/kadm5_auth.html177
1 files changed, 177 insertions, 0 deletions
diff --git a/doc/html/plugindev/kadm5_auth.html b/doc/html/plugindev/kadm5_auth.html
new file mode 100644
index 000000000000..fc2bf3c241c2
--- /dev/null
+++ b/doc/html/plugindev/kadm5_auth.html
@@ -0,0 +1,177 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+ <head>
+ <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+
+ <title>kadmin authorization interface (kadm5_auth) &mdash; MIT Kerberos Documentation</title>
+
+ <link rel="stylesheet" href="../_static/agogo.css" type="text/css" />
+ <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
+ <link rel="stylesheet" href="../_static/kerb.css" type="text/css" />
+
+ <script type="text/javascript">
+ var DOCUMENTATION_OPTIONS = {
+ URL_ROOT: '../',
+ VERSION: '1.16',
+ COLLAPSE_INDEX: false,
+ FILE_SUFFIX: '.html',
+ HAS_SOURCE: true
+ };
+ </script>
+ <script type="text/javascript" src="../_static/jquery.js"></script>
+ <script type="text/javascript" src="../_static/underscore.js"></script>
+ <script type="text/javascript" src="../_static/doctools.js"></script>
+ <link rel="author" title="About these documents" href="../about.html" />
+ <link rel="copyright" title="Copyright" href="../copyright.html" />
+ <link rel="top" title="MIT Kerberos Documentation" href="../index.html" />
+ <link rel="up" title="For plugin module developers" href="index.html" />
+ <link rel="next" title="Host-to-realm interface (hostrealm)" href="hostrealm.html" />
+ <link rel="prev" title="KADM5 hook interface (kadm5_hook)" href="kadm5_hook.html" />
+ </head>
+ <body>
+ <div class="header-wrapper">
+ <div class="header">
+
+
+ <h1><a href="../index.html">MIT Kerberos Documentation</a></h1>
+
+ <div class="rel">
+
+ <a href="../index.html" title="Full Table of Contents"
+ accesskey="C">Contents</a> |
+ <a href="kadm5_hook.html" title="KADM5 hook interface (kadm5_hook)"
+ accesskey="P">previous</a> |
+ <a href="hostrealm.html" title="Host-to-realm interface (hostrealm)"
+ accesskey="N">next</a> |
+ <a href="../genindex.html" title="General Index"
+ accesskey="I">index</a> |
+ <a href="../search.html" title="Enter search criteria"
+ accesskey="S">Search</a> |
+ <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kadmin authorization interface (kadm5_auth)">feedback</a>
+ </div>
+ </div>
+ </div>
+
+ <div class="content-wrapper">
+ <div class="content">
+ <div class="document">
+
+ <div class="documentwrapper">
+ <div class="bodywrapper">
+ <div class="body">
+
+ <div class="section" id="kadmin-authorization-interface-kadm5-auth">
+<span id="kadm5-auth-plugin"></span><h1>kadmin authorization interface (kadm5_auth)<a class="headerlink" href="#kadmin-authorization-interface-kadm5-auth" title="Permalink to this headline">ΒΆ</a></h1>
+<p>The kadm5_auth interface (new in release 1.16) allows modules to
+determine whether a client principal is authorized to perform an
+operation in the kadmin protocol, and to apply restrictions to
+principal operations. For a detailed description of the kadm5_auth
+interface, see the header file <tt class="docutils literal"><span class="pre">&lt;krb5/kadm5_auth_plugin.h&gt;</span></tt>.</p>
+<p>A module can create and destroy per-process state objects by
+implementing the <strong>init</strong> and <strong>fini</strong> methods. State objects have
+the type kadm5_auth_modinfo, which is an abstract pointer type. A
+module should typically cast this to an internal type for the state
+object.</p>
+<p>The kadm5_auth interface has one method for each kadmin operation,
+with parameters specific to the operation. Each method can return
+either 0 to authorize access, KRB5_PLUGIN_NO_HANDLE to defer the
+decision to other modules, or another error (canonically EPERM) to
+authoritatively deny access. Access is granted if at least one module
+grants access and no module authoritatively denies access.</p>
+<p>The <strong>addprinc</strong> and <strong>modprinc</strong> methods can also impose restrictions
+on the principal operation by returning a <tt class="docutils literal"><span class="pre">struct</span>
+<span class="pre">kadm5_auth_restrictions</span></tt> object. The module should also implement
+the <strong>free_restrictions</strong> method if it dynamically allocates
+restrictions objects for principal operations.</p>
+<p>kadm5_auth modules can optionally inspect principal or policy objects.
+To do this, the module must also include <tt class="docutils literal"><span class="pre">&lt;kadm5/admin.h&gt;</span></tt> to gain
+access to the structure definitions for those objects. As the kadmin
+interface is explicitly not as stable as other public interfaces,
+modules which do this may not retain compatibility across releases.</p>
+</div>
+
+
+ </div>
+ </div>
+ </div>
+ </div>
+ <div class="sidebar">
+ <h2>On this page</h2>
+ <ul>
+<li><a class="reference internal" href="#">kadmin authorization interface (kadm5_auth)</a></li>
+</ul>
+
+ <br/>
+ <h2>Table of contents</h2>
+ <ul class="current">
+<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../admin/index.html">For administrators</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li>
+<li class="toctree-l1 current"><a class="reference internal" href="index.html">For plugin module developers</a><ul class="current">
+<li class="toctree-l2"><a class="reference internal" href="general.html">General plugin concepts</a></li>
+<li class="toctree-l2"><a class="reference internal" href="clpreauth.html">Client preauthentication interface (clpreauth)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="kdcpreauth.html">KDC preauthentication interface (kdcpreauth)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="ccselect.html">Credential cache selection interface (ccselect)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="pwqual.html">Password quality interface (pwqual)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="kadm5_hook.html">KADM5 hook interface (kadm5_hook)</a></li>
+<li class="toctree-l2 current"><a class="current reference internal" href="">kadmin authorization interface (kadm5_auth)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="hostrealm.html">Host-to-realm interface (hostrealm)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="localauth.html">Local authorization interface (localauth)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="locate.html">Server location interface (locate)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="profile.html">Configuration interface (profile)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="gssapi.html">GSSAPI mechanism interface</a></li>
+<li class="toctree-l2"><a class="reference internal" href="internal.html">Internal pluggable interfaces</a></li>
+<li class="toctree-l2"><a class="reference internal" href="certauth.html">PKINIT certificate authorization interface (certauth)</a></li>
+<li class="toctree-l2"><a class="reference internal" href="kdcpolicy.html">KDC policy interface (kdcpolicy)</a></li>
+</ul>
+</li>
+<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li>
+</ul>
+
+ <br/>
+ <h4><a href="../index.html">Full Table of Contents</a></h4>
+ <h4>Search</h4>
+ <form class="search" action="../search.html" method="get">
+ <input type="text" name="q" size="18" />
+ <input type="submit" value="Go" />
+ <input type="hidden" name="check_keywords" value="yes" />
+ <input type="hidden" name="area" value="default" />
+ </form>
+ </div>
+ <div class="clearer"></div>
+ </div>
+ </div>
+
+ <div class="footer-wrapper">
+ <div class="footer" >
+ <div class="right" ><i>Release: 1.16</i><br />
+ &copy; <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
+ </div>
+ <div class="left">
+
+ <a href="../index.html" title="Full Table of Contents"
+ >Contents</a> |
+ <a href="kadm5_hook.html" title="KADM5 hook interface (kadm5_hook)"
+ >previous</a> |
+ <a href="hostrealm.html" title="Host-to-realm interface (hostrealm)"
+ >next</a> |
+ <a href="../genindex.html" title="General Index"
+ >index</a> |
+ <a href="../search.html" title="Enter search criteria"
+ >Search</a> |
+ <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kadmin authorization interface (kadm5_auth)">feedback</a>
+ </div>
+ </div>
+ </div>
+
+ </body>
+</html> \ No newline at end of file
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-31 22:04:57 +0000