From 89f378fe89c2cf51ba528827b9bd888d415a1746 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Mon, 1 Feb 2010 17:18:23 +0000 Subject: Correct the DAL documentation of KRB5_KDB_METHOD_CHECK_ALLOWED_TO_DELEGATE; proxy is the target service, not the delegating service. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23680 dc483132-0cff-0310-8789-dd5450dbe970 --- src/include/kdb.h | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) (limited to 'src/include/kdb.h') diff --git a/src/include/kdb.h b/src/include/kdb.h index 187aa4679d..f9caca4162 100644 --- a/src/include/kdb.h +++ b/src/include/kdb.h @@ -1424,11 +1424,15 @@ typedef struct _kdb_vftabl { * * KRB5_KDB_METHOD_CHECK_ALLOWED_TO_DELEGATE: req contains a * kdb_check_allowed_to_delegate_req structure. Perform a policy check - * on proxy being allowed to act on behalf of client to server. Return - * 0 if policy allows it, or an appropriate error (such as - * KRB5KDC_ERR_POLICY) if not. If this method is not implemented, all - * S4U2Proxy delegation requests will be rejected. Do not place any - * data in rep. + * on server being allowed to obtain tickets from client to proxy. + * (Note that proxy is the target of the delegation, not the delegating + * service; the term "proxy" is from the viewpoint of the delegating + * service asking another service to perform some of its work in the + * authentication context of the client. This terminology comes from + * the Microsoft S4U protocol documentation.) Return 0 if policy + * allows it, or an appropriate error (such as KRB5KDC_ERR_POLICY) if + * not. If this method is not implemented, all S4U2Proxy delegation + * requests will be rejected. Do not place any data in rep. */ krb5_error_code (*db_invoke)(krb5_context context, unsigned int method, const krb5_data *req, krb5_data *rep); -- cgit