NAME
sec_login_become_delegate - Causes an intermediate server to become a
delegate in traced delegation chain
SYNOPSIS
#include <dce/sec_login.h>
sec_login_handle_t sec_login_become_delegate(
rpc_authz_cred_handle_t callers_identity,
sec_login_handle_t my_login_context,
sec_id_delegation_type_t delegation_type_permitted,
sec_id_restriction_set_t *delegate_restrictions,
sec_id_restriction_set_t *target_restrictions,
sec_id_opt_req_t *optional_restrictions,
sec_id_opt_req_t *required_restrictions,
sec_id_compatibility_mode_t compatibility_mode,
error_status_t *status);
PARAMETERS
Input
callers_identity
A handle of type rpc_authz_cred_handle_t to the authenticated
identity of the previous delegate in the delegation chain. The
handle is supplied by the rpc_binding_inq_auth_caller() call.
my_login_context
A value of sec_login_handle_t that provides an opaque handle to
the identity of the client that is becoming the intermediate
delegate. The sec_login_handle_t that specifies the client's
identity is supplied as output of the following calls:
+ sec_login_get_current_context() if the client inherited the
identity of the current context
+ The sec_login_setup_identity() and the
sec_login_validate_identity() pair that together establish
an authenticated identity if a new identity was established
Note that this identity specified by sec_login_handle_t must be a simple
login context; it cannot be a compound identity created by a previous
sec_login_become_delegate() call.
delegation_type_permitted
A value of sec_id_delegation_type_t that specifies the type of
delegation to be enabled. The types available are:
sec_id_deleg_type_none
No delegation.
sec_id_deleg_type_traced
Traced delegation.
sec_id_deleg_type_impersonation
Simple (impersonation) delegation.
Note that the initiating client sets the type of delegation. If it is
set as traced, all delegates must also specify traced delegation; they
cannot specify simple delegation. The same is true if the initiating
client sets the delegation type as simple; all subsequent delegates must
also specify simple delegation. The intermediate delegates can,
however, specify no delegation to indicate that the delegation chain
can proceed no further.
delegate_restrictions
A pointer to a sec_id_restriction_set_t that supplies a list of
servers that can act as delegates for the intermediate client
identified by my_login_context. These servers are added to
delegates permitted by the delegate_restrictions parameter of the
sec_login_become_initiator call.
target_restrictions
A pointer to a sec_id_restriction_set_t that supplies a list of
servers that can act as targets for the intermediate client
identified by my_login_context. These servers are added to
targets specified by the target_restrictions parameter of the
sec_login_become_initiator call.
optional_restrictions
A pointer to a sec_id_opt_req_t that supplies a list of
application-defined optional restrictions that apply to the
intermediate client identified by my_login_context. These
restrictions are added to the restrictions identified by the
optional_restrictions parameter of the sec_login_become_initiator
call.
required_restrictions
A pointer to a sec_id_opt_req_t that supplies a list of
application-defined required restrictions that apply to the
intermediate client identified by my_login_context. These
restrictions are added to the restrictions identified
required_restrictions parameter of the sec_login_become_initiator
call.
compatibility_mode
A value of sec_id_compatibility_mode_t that specifies the
compatibility mode to be used when the intermediate client
operates on pre-1.1 servers. The modes available are:
sec_id_compat_mode_none
Compatibility mode is off.
sec_id_compat_mode_initiator
Compatibility mode is on. The pre-1.1 PAC data is
extracted from the EPAC of the initiating client.
sec_id_compat_mode_caller
Compatibility mode is on. The pre-1.1 PAC data
extracted from the EPAC of the last client in the
delegation chain.
Output
status
A pointer to the completion status. On successful completion,
status is assigned error_status_ok. Otherwise, it returns an
error.
DESCRIPTION
The sec_login_become_delegate() is used by intermediate servers to
become a delegate for the client identified by callers_identity. The
routine returns a new login context (of type sec_login_handle_t) that
carries delegation information. This information includes the delegation
type, delegate and target restrictions, and any application-defined
optional and required restrictions.
The new login context created by this call can then used to to set up
authenticated rpc with an intermediate or target server using the
rpc_binding_set_auth_info() call.
Any delegate, target, required, or optional restrictions specified in
this call are added to the restrictions specified by the initiating
client and any intermediate clients.
The sec_login_become_delegate() call is run only if the initiating
client enabled traced delegation by setting the
delegation_type_permitted parameter in the sec_login_become_initiator
call to sec_id_deleg_type_traced.
FILES
SYS$COMMON:[DCE$LIBRARY]SEC_LOGIN.IDL
The idl file from which dce/sec_login.h was derived.
ERRORS
sec_login_s_invalid_context
sec_login_s_compound_delegate
sec_login_s_invalid_deleg_type
err_sec_login_invalid_delegate_restriction
err_sec_login_invalid_target_restriction
err_sec_login_invalid_opt_restriction
err_sec_login_invalid_req_restriction
sec_login_s_invalid_compat_mode
sec_login_s_deleg_not_enabled
error_status_ok
RELATED INFORMATION
Functions: intro
sec_login_become_initiator
sec_login_become_impersonator
rpc_binding_inq_auth_caller
sec_login_get_current_context
sec_login_setup_identity
sec_login_validate_identity