From 3cedc78b77956cfb866abc736a7e99cc1bce4541 Mon Sep 17 00:00:00 2001
From: Johan Danielsson <joda@pdc.kth.se>
Date: Wed, 22 Oct 2003 18:45:56 +0000
Subject: [PATCH] document recent changes

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@13071 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 kdc/kdc.8 | 27 ++++++++++++++++++++++-----
 1 file changed, 22 insertions(+), 5 deletions(-)

diff --git a/kdc/kdc.8 b/kdc/kdc.8
index 8c7bcefcc..b04a301d0 100644
--- a/kdc/kdc.8
+++ b/kdc/kdc.8
@@ -31,7 +31,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd October 21, 2003
+.Dd October 22, 2003
 .Dt KDC 8
 .Os HEIMDAL
 .Sh NAME
@@ -185,10 +185,27 @@ Permit tickets with no addresses.
 This option is only relevant when check-ticket-addresses is TRUE.
 .It Li allow-anonymous = Va boolean
 Permit anonymous tickets with no addresses.
-.It Li enforce-transited-policy = Va boolean
-Always verify the transited policy, ignoring the
-.Va disable-transited-check 
-flag if set in the KDC client request.
+.It Li transited-policy = Xo
+.Li always-check \*(Ba
+.Li allow-per-principal |
+.Li always-honour-request
+.Xc
+This controls how KDC requests with the
+.Li disable-transited-check
+flag are handled. It can be one of:
+.Bl -tag -width "xxx" -offset indent
+.It Li always-check
+Always check transited encoding, this is the default.
+.It Li allow-per-principal
+Currently this is identical to
+.Li always-check .
+In a future release, it will be possible to mark a principal as able
+to handle unchecked requests.
+.It Li always-honour-request
+Always do what the client asked.
+In a future release, it will be possible to force a check per
+principal.
+.El
 .It encode_as_rep_as_tgs_rep = Va boolean
 Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE code.
 The Heimdal clients allow both.