From c5e25a236878b9807ffefe510836d1ddb59e6901 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 31 Jul 2013 18:51:18 -0400
Subject: Document krb5_db_iterate restriction on writing

---
 src/include/kdb.h | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/include/kdb.h b/src/include/kdb.h
index 78d78c55c..c08c8d5be 100644
--- a/src/include/kdb.h
+++ b/src/include/kdb.h
@@ -371,6 +371,12 @@ krb5_error_code krb5_db_put_principal ( krb5_context kcontext,
                                         krb5_db_entry *entry );
 krb5_error_code krb5_db_delete_principal ( krb5_context kcontext,
                                            krb5_principal search_for );
+
+/*
+ * Iterate over principals in the KDB.  If the callback may write to the DB,
+ * the caller must get an exclusive lock with krb5_db_lock before iterating,
+ * and release it with krb5_db_unlock after iterating.
+ */
 krb5_error_code krb5_db_iterate ( krb5_context kcontext,
                                   char *match_entry,
                                   int (*func) (krb5_pointer, krb5_db_entry *),
-- 
cgit