sec_login_become_delegate(3sec)
Causes an intermediate server to become a delegate in traced delegation chain
Synopsis
#include <dce/sec_login.h>
sec_login_handle_t sec_login_become_delegate(
rpc_authz_cred_handle_t callers_identity,
sec_login_handle_t my_login_context,
sec_id_delegation_type_t delegation_type_permitted,
sec_id_restriction_set_t *delegate_restrictions,
sec_id_restriction_set_t *target_restrictions,
sec_id_opt_req_t
*optional_restrictions,
sec_id_opt_req_t *required_restrictions,
sec_id_compatibility_mode_t
compatibility_mode,
error_status_t *status);
Parameters
Input
callers_identity
A handle of type rpc_authz_cred_handle_t to the authenticated identity of the previous delegate in the delegation chain. The handle is supplied by the
rpc_binding_inq_auth_caller( ) call.
my_login_context
A value of sec_login_handle_t that provides an opaque handle to the identity of the client that is becoming the intermediate delegate. The
sec_login_handle_t that specifies the client's identity is supplied as output of the following calls:
· sec_login_get_current_context( ) if the client inherited the identity of the current context
· The sec_login_setup_identity( ) and the sec_login_validate_identity( ) pair that together establish an authenticated identity if a new identity was established
Note that this identity specified by sec_login_handle_t must be a simple login context; it cannot be a compound identity created by a previous sec_login_become_delegate( ) call.
delegation_type_permitted
A value of sec_id_delegation_type_t that specifies the type of delegation to be enabled. The types available are:
| sec_id_deleg_type_none | No delegation. |
| sec_id_deleg_type_traced | Traced delegation. |
| sec_id_deleg_type_impersonation | Simple (impersonation) delegation. |
Note that the initiating client sets the type of delegation. If it is set as traced, all delegates must also specify traced delegation; they cannot specify simple delegation. The same is true if the initiating client sets the delegation type as simple; all subsequent delegates must also specify simple delegation. The intermediate delegates can, however, specify no delegation to indicate that the delegation chain can proceed no further.
delegate_restrictions
A pointer to a sec_id_restriction_set_t that supplies a list of servers that can act as delegates for the intermediate client identified by
my_login_context. These servers are added to delegates permitted by the delegate_restrictions parameter of the sec_login_become_initiator call.
target_restrictions
A pointer to a sec_id_restriction_set_t that supplies a list of servers that can act as targets for the intermediate client identified by
my_login_context. These servers are added to targets specified by the target_restrictions parameter of the sec_login_become_initiator call.
optional_restrictions
A pointer to a sec_id_opt_req_t that supplies a list of application-defined optional restrictions that apply to the intermediate client identified
by my_login_context. These restrictions are added to the restrictions identified by the optional_restrictions parameter of the sec_login_become_initiator call.
required_restrictions
A pointer to a sec_id_opt_req_t that supplies a list of application-defined required restrictions that apply to the intermediate client identified
by my_login_context. These restrictions are added to the restrictions identified required_restrictions parameter of the sec_login_become_initiator call.
compatibility_mode
A value of sec_id_compatibility_mode_t that specifies the compatibility mode to be used when the intermediate client operates on pre-1.1 servers.
The modes available are:
| sec_id_compat_mode_none | Compatibility mode is off. |
| sec_id_compat_mode_initiator | Compatibility mode is on. The pre-1.1 PAC data is extracted from the EPAC of the initiating client. |
| sec_id_compat_mode_caller | Compatibility mode is on. The pre-1.1 PAC data extracted from the EPAC of the last client in the delegation chain. |
status
A pointer to the completion status. On successful completion, status is assigned error_status_ok. Otherwise, it returns an error.
Description
The sec_login_become_delegate( ) is used by intermediate servers to become a delegate for the client identified by callers_identity. The routine
returns a new login context (of type sec_login_handle_t) that carries delegation information. This information includes the delegation type, delegate and target restrictions, and any
application-defined optional and required restrictions.
The new login context created by this call can then used to set up authenticated RPC with an intermediate or target server using the rpc_binding_set_auth_info( ) call.
Any delegate, target, required, or optional restrictions specified in this call are added to the restrictions specified by the initiating client and any intermediate clients.
The sec_login_become_delegate( ) call is run only if the initiating client enabled traced delegation by setting the delegation_type_permitted parameter in the sec_login_become_initiator call to sec_id_deleg_type_traced.
Files
/usr/include/dce/sec_login.idl
The idl file from which dce/sec_login.h was derived.
Errors
The following describes a partial list of errors that might be returned. Refer to the OSF DCE Problem Determination Guide for complete descriptions of all error messages.
sec_login_s_invalid_context
sec_login_s_compound_delegate
sec_login_s_invalid_deleg_type
err_sec_login_invalid_delegate_restriction
err_sec_login_invalid_target_restriction
err_sec_login_invalid_opt_restriction
err_sec_login_invalid_req_restriction
sec_login_s_invalid_compat_mode
sec_login_s_deleg_not_enabled
error_status_ok
Related Information
Functions:
sec_login_become_initiator(3sec)
sec_login_become_impersonator(3sec)
sec_login_get_current_context(3sec)
sec_login_setup_identity(3sec)
sec_login_validate_identity(3sec)
rpc_binding_inq_auth_caller(3rpc)