(init_auth): honor ok-as-delegate if local configuration approves

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@15319 ec53bebd-3082-4978-b11e-865c3cabbd6b
2005-05-30 20:58:29 +00:00
parent 8a9b0fd298
commit e9cef62ab1
2 changed files with 34 additions and 0 deletions
--- a/lib/gssapi/krb5/init_sec_context.c
+++ b/lib/gssapi/krb5/init_sec_context.c
@@ -331,6 +331,23 @@ init_auth
 	goto failure;
    }
    
+    /* 
+     * If the realm policy approves a delegation, lets check local
+     * policy if the credentials should be delegated, defafult to
+     * false.
+     */
+    if (cred->flags.b.ok_as_delegate) {
+	krb5_boolean delegate = FALSE;
+    
+	_gss_check_compat(NULL, target_name, "ok-as-delegate",
+			  &delegate, TRUE);
+	krb5_appdefault_boolean(gssapi_krb5_context,
+				"gssapi", target_name->realm,
+				"ok-as-delegate", delegate, &delegate);
+	if (delegate)
+	    req_flags |= GSS_C_DELEG_FLAG;
+    }
+
    flags = 0;
    ap_options = 0;
    if (req_flags & GSS_C_DELEG_FLAG)