1*7f2fe78bSCy Schubert.. _localauth_plugin: 2*7f2fe78bSCy Schubert 3*7f2fe78bSCy SchubertLocal authorization interface (localauth) 4*7f2fe78bSCy Schubert========================================= 5*7f2fe78bSCy Schubert 6*7f2fe78bSCy SchubertThe localauth interface was first introduced in release 1.12. It 7*7f2fe78bSCy Schubertallows modules to control the relationship between Kerberos principals 8*7f2fe78bSCy Schubertand local system accounts. When an application calls 9*7f2fe78bSCy Schubert:c:func:`krb5_kuserok` or :c:func:`krb5_aname_to_localname`, localauth 10*7f2fe78bSCy Schubertmodules are consulted to determine the result. For a detailed 11*7f2fe78bSCy Schubertdescription of the localauth interface, see the header file 12*7f2fe78bSCy Schubert``<krb5/localauth_plugin.h>``. 13*7f2fe78bSCy Schubert 14*7f2fe78bSCy SchubertA module can create and destroy per-library-context state objects 15*7f2fe78bSCy Schubertusing the **init** and **fini** methods. If the module does not need 16*7f2fe78bSCy Schubertany state, it does not need to implement these methods. 17*7f2fe78bSCy Schubert 18*7f2fe78bSCy SchubertThe optional **userok** method allows a module to control the behavior 19*7f2fe78bSCy Schubertof :c:func:`krb5_kuserok`. The module receives the authenticated name 20*7f2fe78bSCy Schubertand the local account name as inputs, and can return either 0 to 21*7f2fe78bSCy Schubertauthorize access, KRB5_PLUGIN_NO_HANDLE to defer the decision to other 22*7f2fe78bSCy Schubertmodules, or another error (canonically EPERM) to authoritatively deny 23*7f2fe78bSCy Schubertaccess. Access is granted if at least one module grants access and no 24*7f2fe78bSCy Schubertmodule authoritatively denies access. 25*7f2fe78bSCy Schubert 26*7f2fe78bSCy SchubertThe optional **an2ln** method can work in two different ways. If the 27*7f2fe78bSCy Schubertmodule sets an array of uppercase type names in **an2ln_types**, then 28*7f2fe78bSCy Schubertthe module's **an2ln** method will only be invoked by 29*7f2fe78bSCy Schubert:c:func:`krb5_aname_to_localname` if an **auth_to_local** value in 30*7f2fe78bSCy Schubert:ref:`krb5.conf(5)` refers to one of the module's types. In this 31*7f2fe78bSCy Schubertcase, the *type* and *residual* arguments will give the type name and 32*7f2fe78bSCy Schubertresidual string of the **auth_to_local** value. 33*7f2fe78bSCy Schubert 34*7f2fe78bSCy SchubertIf the module does not set **an2ln_types** but does implement 35*7f2fe78bSCy Schubert**an2ln**, the module's **an2ln** method will be invoked for all 36*7f2fe78bSCy Schubert:c:func:`krb5_aname_to_localname` operations unless an earlier module 37*7f2fe78bSCy Schubertdetermines a mapping, with *type* and *residual* set to NULL. The 38*7f2fe78bSCy Schubertmodule can return KRB5_LNAME_NO_TRANS to defer mapping to later 39*7f2fe78bSCy Schubertmodules. 40*7f2fe78bSCy Schubert 41*7f2fe78bSCy SchubertIf a module implements **an2ln**, it must also implement 42*7f2fe78bSCy Schubert**free_string** to ensure that memory is allocated and deallocated 43*7f2fe78bSCy Schubertconsistently. 44