diff options
author | Greg Hudson <ghudson@mit.edu> | 2013-06-14 01:55:27 -0400 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2013-06-27 02:00:51 -0400 |
commit | a6765ca3fa82fa9ac8045fb583d168c542b19585 (patch) | |
tree | 147e98011672984188b7924d205782cf04d4f28b /doc | |
parent | e0a74797bd3a8395b81e68ecfa7ada6e2b4be4c6 (diff) | |
download | krb5-a6765ca3fa82fa9ac8045fb583d168c542b19585.tar.gz krb5-a6765ca3fa82fa9ac8045fb583d168c542b19585.tar.xz krb5-a6765ca3fa82fa9ac8045fb583d168c542b19585.zip |
Rely on module ordering for localauth
Register built-in localauth modules in the order we want them used by
default, and document accordingly.
ticket: 7665
Diffstat (limited to 'doc')
-rw-r--r-- | doc/admin/conf_files/krb5_conf.rst | 30 | ||||
-rw-r--r-- | doc/plugindev/localauth.rst | 8 |
2 files changed, 19 insertions, 19 deletions
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst index 0fd3f2c1d5..699628f563 100644 --- a/doc/admin/conf_files/krb5_conf.rst +++ b/doc/admin/conf_files/krb5_conf.rst @@ -749,30 +749,30 @@ for the local authorization interface, which affects the relationship between Kerberos principals and local system accounts. The following built-in modules exist for this interface: -**auth_to_local** - This module processes **auth_to_local** values in the default - realm's section, and applies the default method if no - **auth_to_local** values exist. - -**an2ln** - This module authorizes a principal to a local account if the - principal name maps to the local account name. - **default** This module implements the **DEFAULT** type for **auth_to_local** values. -**k5login** - This module authorizes a principal to a local account according to - the account's :ref:`.k5login(5)` file. +**rule** + This module implements the **RULE** type for **auth_to_local** + values. **names** This module looks for an **auth_to_local_names** mapping for the principal name. -**rule** - This module implements the **RULE** type for **auth_to_local** - values. +**auth_to_local** + This module processes **auth_to_local** values in the default + realm's section, and applies the default method if no + **auth_to_local** values exist. + +**k5login** + This module authorizes a principal to a local account according to + the account's :ref:`.k5login(5)` file. + +**an2ln** + This module authorizes a principal to a local account if the + principal name maps to the local account name. PKINIT options diff --git a/doc/plugindev/localauth.rst b/doc/plugindev/localauth.rst index 8a87f3ed9c..6f396a9c12 100644 --- a/doc/plugindev/localauth.rst +++ b/doc/plugindev/localauth.rst @@ -33,10 +33,10 @@ residual string of the **auth_to_local** value. If the module does not set **an2ln_types** but does implement **an2ln**, the module's **an2ln** method will be invoked for all -:c:func:`krb5_aname_to_localname` operations before the built-in -mechanisms are applied, with *type* and *residual* set to NULL. The -module can return KRB5_LNAME_NO_TRANS to defer mapping to the built-in -mechanisms. +:c:func:`krb5_aname_to_localname` operations unless an earlier module +determines a mapping, with *type* and *residual* set to NULL. The +module can return KRB5_LNAME_NO_TRANS to defer mapping to later +modules. If a module implements **an2ln**, it must also implement **free_string** to ensure that memory is allocated and deallocated |