[38367] in Kerberos
Re: Extracting AuthorizationData from GSS-API credentials?
daemon@ATHENA.MIT.EDU (Greg Hudson)
Fri Oct 26 18:50:00 2018
To: Rick van Rein <rick@openfortress.nl>,
"kerberos@mit.edu" <kerberos@mit.edu>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <e1ddd973-4158-4af1-3354-8f15e628ae24@mit.edu>
Date: Fri, 26 Oct 2018 18:49:39 -0400
MIME-Version: 1.0
In-Reply-To: <5BD3957B.7020901@openfortress.nl>
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 10/26/2018 06:30 PM, Rick van Rein wrote:> Is there an API to extract
AuthorizationData from GSSAPI credentials
> that use Kerberos under the hood? I cannot find it in the RFCs.
The shortest-path answer for you is probably the extension
gsskrb5_extract_authz_data_from_sec_context(), which is implemented in
MIT krb5 and Heimdal.
The cleaner answer is name attributes (RFC 6680), ideally with
well-considered cross-mechanism names, but that requires extra
implementation work for each authorization data type. MIT krb5 has a
pluggable interface for doing that translation, but it's unfortunately
not polished or stable.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
