diff options
Diffstat (limited to 'doc/html/_sources/plugindev/kdcpolicy.txt')
| -rw-r--r-- | doc/html/_sources/plugindev/kdcpolicy.txt | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/doc/html/_sources/plugindev/kdcpolicy.txt b/doc/html/_sources/plugindev/kdcpolicy.txt new file mode 100644 index 000000000000..74f21f08fbf4 --- /dev/null +++ b/doc/html/_sources/plugindev/kdcpolicy.txt @@ -0,0 +1,24 @@ +.. _kdcpolicy_plugin: + +KDC policy interface (kdcpolicy) +================================ + +The kdcpolicy interface was first introduced in release 1.16. It +allows modules to veto otherwise valid AS and TGS requests or restrict +the lifetime and renew time of the resulting ticket. For a detailed +description of the kdcpolicy interface, see the header file +``<krb5/kdcpolicy_plugin.h>``. + +The optional **check_as** and **check_tgs** functions allow the module +to perform access control. Additionally, a module can create and +destroy module data with the **init** and **fini** methods. Module +data objects last for the lifetime of the KDC process, and are +provided to all other methods. The data has the type +krb5_kdcpolicy_moddata, which should be cast to the appropriate +internal type. + +kdcpolicy modules can optionally inspect principal entries. To do +this, the module must also include ``<kdb.h>`` to gain access to the +principal entry structure definition. As the KDB interface is +explicitly not as stable as other public interfaces, modules which do +this may not retain compatibility across releases. |