Blame doc/plugindev/ccselect.rst
|
Packit |
fd8b60 |
.. _ccselect_plugin:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Credential cache selection interface (ccselect)
|
|
Packit |
fd8b60 |
===============================================
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The ccselect interface allows modules to control how credential caches
|
|
Packit |
fd8b60 |
are chosen when a GSSAPI client contacts a service. For a detailed
|
|
Packit |
fd8b60 |
description of the ccselect interface, see the header file
|
|
Packit |
fd8b60 |
``<krb5/ccselect_plugin.h>``.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The primary ccselect method is **choose**, which accepts a server
|
|
Packit |
fd8b60 |
principal as input and returns a ccache and/or principal name as
|
|
Packit |
fd8b60 |
output. A module can use the krb5_cccol APIs to iterate over the
|
|
Packit |
fd8b60 |
cache collection in order to find an appropriate ccache to use.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. TODO: add reference to the admin guide for ccaches and cache
|
|
Packit |
fd8b60 |
collections when we have appropriate sections.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
A module can create and destroy per-library-context state objects by
|
|
Packit |
fd8b60 |
implementing the **init** and **fini** methods. State objects have
|
|
Packit |
fd8b60 |
the type krb5_ccselect_moddata, which is an abstract pointer type. A
|
|
Packit |
fd8b60 |
module should typically cast this to an internal type for the state
|
|
Packit |
fd8b60 |
object.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
A module can have one of two priorities, "authoritative" or
|
|
Packit |
fd8b60 |
"heuristic". Results from authoritative modules, if any are
|
|
Packit |
fd8b60 |
available, will take priority over results from heuristic modules. A
|
|
Packit |
fd8b60 |
module communicates its priority as a result of the **init** method.
|