From d769eced7bb14e8f0b9bb55d937863e820ae134c Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Thu, 22 Dec 2011 17:44:47 -0600 Subject: [PATCH] Plugin symbols can't have '-' in them... Also add example to krb5-plugin.7 --- lib/krb5/krb5-plugin.7 | 48 ++++++++++++++++++++++++++++++++++++--- lib/krb5/kuserok_plugin.h | 4 ++-- 2 files changed, 47 insertions(+), 5 deletions(-) diff --git a/lib/krb5/krb5-plugin.7 b/lib/krb5/krb5-plugin.7 index 2767d6b22..549463880 100644 --- a/lib/krb5/krb5-plugin.7 +++ b/lib/krb5/krb5-plugin.7 @@ -88,7 +88,7 @@ KRB5_PLUGIN_NO_HANDLE to indicate that the plugin was not applicable. Most plugin types obtain deterministic plugin behavior in spite of the non-deterministic invokation order by, for example, invoking all plugins for each "rule" and passing the rule to each plugin with the expectation that just -one plugin will match any given rul. +one plugin will match any given rule. .Pp The krb5-kuserok plugin adds a single field to its struct: a pointer to a function that implements kuserok functionality with the following @@ -120,12 +120,12 @@ argument provides an alternative k5login file location, if not NULL. The .Va flags argument indicates whether the plugin may call -.Xr krb5_aname_to_lname 3 +.Xr krb5_aname_to_localname 3 (KUSEROK_ANAME_TO_LNAME_OK), and whether k5login databases are expected to be authoritative (KUSEROK_K5LOGIN_IS_AUTHORITATIVE). .Pp The plugin for -.Xr krb5_aname_to_lname 3 +.Xr krb5_aname_to_localname 3 is named "an2ln" and has a single extra field for the plugin struct: .Bd -literal -offset indent typedef krb5_error_code (*set_result_f)(void *, const char *); @@ -156,6 +156,8 @@ An example an2ln plugin that maps principals to a constant "nouser" follows: .Pp .Bd -literal -offset indent +#include + static krb5_error_code nouser_plug_init(krb5_context context, void **ctx) { @@ -188,5 +190,45 @@ krb5plugin_an2ln_ftable an2ln = { nouser_plug_an2ln, }; .Ed +.Pp +An example kuserok plugin that rejects all requests follows. (Note that +there exists a built-in plugin with this functionality; see +.Xr krb5_kuserok 3 +). +.Pp +.Bd -literal -offset indent +#include + +static krb5_error_code +reject_plug_init(krb5_context context, void **ctx) +{ + *ctx = NULL; + return 0; +} + +static void reject_plug_fini(void *ctx) { } + +static krb5_error_code +reject_plug_kuserok(void *plug_ctx, krb5_context context, const char *rule, + unsigned int flags, const char *k5login_dir, + const char *luser, krb5_const_principal principal, + krb5_boolean *result) +{ + if (strcmp(rule, "REJECT") != 0) + return KRB5_PLUGIN_NO_HANDLE; + + *result = FALSE; + return 0; +} + +krb5plugin_kuserok_ftable kuserok = { + KRB5_PLUGIN_KUSEROK_VERSION_0, + reject_plug_init, + reject_plug_fini, + reject_plug_kuserok, +}; +.Ed .Sh SEE ALSO .Xr krb5_plugin_register 3 +.Xr krb5_kuserok 3 +.Xr krb5_aname_to_localname 3 diff --git a/lib/krb5/kuserok_plugin.h b/lib/krb5/kuserok_plugin.h index fc6ccd800..5b0be4a57 100644 --- a/lib/krb5/kuserok_plugin.h +++ b/lib/krb5/kuserok_plugin.h @@ -32,7 +32,7 @@ #ifndef HEIMDAL_KRB5_KUSEROK_PLUGIN_H #define HEIMDAL_KRB5_KUSEROK_PLUGIN_H 1 -#define KRB5_PLUGIN_KUSEROK "kuserok-plugin" +#define KRB5_PLUGIN_KUSEROK "kuserok" #define KRB5_PLUGIN_KUSEROK_VERSION_0 0 /** @struct krb5plugin_kuserok_ftable_desc @@ -40,7 +40,7 @@ * @brief Description of the krb5_kuserok(3) plugin facility. * * The krb5_kuserok(3) function is pluggable. The plugin is named - * KRB5_PLUGIN_KUSEROK ("kuserok-plugin"), with a single minor version, + * KRB5_PLUGIN_KUSEROK ("kuserok"), with a single minor version, * KRB5_PLUGIN_KUSEROK_VERSION_0 (0). * * The plugin for krb5_kuserok(3) consists of a data symbol referencing