PreviousNext

sec_login_become_delegate(3sec)

Causes an intermediate server to become a delegate in traced delegation chain

Synopsis

#include <dce/sec_login.h>

sec_login_handle_t sec_login_become_delegate(
rpc_authz_cred_handle_t
callers_identity,
sec_login_handle_t
my_login_context,
sec_id_delegation_type_t
delegation_type_permitted,
sec_id_restriction_set_t *
delegate_restrictions,
sec_id_restriction_set_t *
target_restrictions,
sec_id_opt_req_t *
optional_restrictions,
sec_id_opt_req_t *
required_restrictions,
sec_id_compatibility_mode_t
compatibility_mode,
error_status_t *
status);

Parameters

Input

callers_identity
A handle of type rpc_authz_cred_handle_t to the authenticated identity of the previous delegate in the delegation chain. The handle is supplied by the rpc_binding_inq_auth_caller( ) call.

my_login_context
A value of sec_login_handle_t that provides an opaque handle to the identity of the client that is becoming the intermediate delegate. The sec_login_handle_t that specifies the client's identity is supplied as output of the following calls:

· sec_login_get_current_context( ) if the client inherited the identity of the current context

· The sec_login_setup_identity( ) and the sec_login_validate_identity( ) pair that together establish an authenticated identity if a new identity was established

Note that this identity specified by sec_login_handle_t must be a simple login context; it cannot be a compound identity created by a previous sec_login_become_delegate( ) call.

delegation_type_permitted
A value of sec_id_delegation_type_t that specifies the type of delegation to be enabled. The types available are:

sec_id_deleg_type_none No delegation.
sec_id_deleg_type_traced Traced delegation.
sec_id_deleg_type_impersonation Simple (impersonation) delegation.

Note that the initiating client sets the type of delegation. If it is set as traced, all delegates must also specify traced delegation; they cannot specify simple delegation. The same is true if the initiating client sets the delegation type as simple; all subsequent delegates must also specify simple delegation. The intermediate delegates can, however, specify no delegation to indicate that the delegation chain can proceed no further.

delegate_restrictions
A pointer to a sec_id_restriction_set_t that supplies a list of servers that can act as delegates for the intermediate client identified by my_login_context. These servers are added to delegates permitted by the delegate_restrictions parameter of the sec_login_become_initiator call.

target_restrictions
A pointer to a sec_id_restriction_set_t that supplies a list of servers that can act as targets for the intermediate client identified by my_login_context. These servers are added to targets specified by the target_restrictions parameter of the sec_login_become_initiator call.

optional_restrictions
A pointer to a sec_id_opt_req_t that supplies a list of application-defined optional restrictions that apply to the intermediate client identified by my_login_context. These restrictions are added to the restrictions identified by the optional_restrictions parameter of the sec_login_become_initiator call.

required_restrictions
A pointer to a sec_id_opt_req_t that supplies a list of application-defined required restrictions that apply to the intermediate client identified by my_login_context. These restrictions are added to the restrictions identified required_restrictions parameter of the sec_login_become_initiator call.

compatibility_mode
A value of sec_id_compatibility_mode_t that specifies the compatibility mode to be used when the intermediate client operates on pre-1.1 servers. The modes available are:

sec_id_compat_mode_none Compatibility mode is off.
sec_id_compat_mode_initiator Compatibility mode is on. The pre-1.1 PAC data is extracted from the EPAC of the initiating client.
sec_id_compat_mode_caller Compatibility mode is on. The pre-1.1 PAC data extracted from the EPAC of the last client in the delegation chain.
Output

status
A pointer to the completion status. On successful completion, status is assigned error_status_ok. Otherwise, it returns an error.

Description
The sec_login_become_delegate( ) is used by intermediate servers to become a delegate for the client identified by callers_identity. The routine returns a new login context (of type sec_login_handle_t) that carries delegation information. This information includes the delegation type, delegate and target restrictions, and any application-defined optional and required restrictions.

The new login context created by this call can then used to set up authenticated RPC with an intermediate or target server using the rpc_binding_set_auth_info( ) call.

Any delegate, target, required, or optional restrictions specified in this call are added to the restrictions specified by the initiating client and any intermediate clients.

The sec_login_become_delegate( ) call is run only if the initiating client enabled traced delegation by setting the delegation_type_permitted parameter in the sec_login_become_initiator call to sec_id_deleg_type_traced.

Files

/usr/include/dce/sec_login.idl
The idl file from which dce/sec_login.h was derived.

Errors

The following describes a partial list of errors that might be returned. Refer to the OSF DCE Problem Determination Guide for complete descriptions of all error messages.

sec_login_s_invalid_context

sec_login_s_compound_delegate

sec_login_s_invalid_deleg_type

err_sec_login_invalid_delegate_restriction

err_sec_login_invalid_target_restriction

err_sec_login_invalid_opt_restriction

err_sec_login_invalid_req_restriction

sec_login_s_invalid_compat_mode

sec_login_s_deleg_not_enabled

error_status_ok

Related Information
Functions:

sec_intro(3sec)

sec_login_become_initiator(3sec)

sec_login_become_impersonator(3sec)

sec_login_get_current_context(3sec)

sec_login_setup_identity(3sec)

sec_login_validate_identity(3sec)

rpc_binding_inq_auth_caller(3rpc)