Skip to content

Commit 45d4817

Browse files
jborean93jborean93
committed
Added ok_as_delegate flags
1 parent daedb01 commit 45d4817

File tree

3 files changed

+30
-0
lines changed

3 files changed

+30
-0
lines changed

docs/source/gssapi.rst

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -65,6 +65,34 @@ imported in the high-level API :mod:`gssapi` module:
6565
.. autoclass:: gssapi.RequirementFlag
6666
:show-inheritance:
6767

68+
The ``ok_as_delegate`` flag corresponds to the C level flag
69+
``GSS_C_DELEG_POLICY_FLAG``. This flag is similar to ``delegate_to_peer``
70+
except it only delegates if the KDC delegation policies for the service
71+
principal allow it to use delegation. This is typically used on Microsoft
72+
domain environments to control whether constrained or unconstrained delegation
73+
is allowed for a service principal. By setting this flag, the delegation
74+
process follows the same behaviour as delegation on SSPI/Windows.
75+
76+
Here are the four cases when either of these flags are set or not.
77+
78+
Neither flag set
79+
No delegation occurs.
80+
81+
delegate_to_peer
82+
Always try to delegate regardless of the KDC delegation policies.
83+
``delegate_to_peer`` is set in the return flags if successful.
84+
85+
ok_as_delegate
86+
Try to delegate but only if the KDC trusts the service principal for
87+
delegation. ``delegate_to_peer`` and ``ok_as_delegate`` are set in the
88+
return flags if successful.
89+
90+
delegate_to_peer | ok_as_delegate
91+
Acts like ``delegate_to_peer`` being set but will also set
92+
``ok_as_delegate`` in the return flags if the service principal was trusted
93+
for delegation by the KDC.
94+
95+
6896
.. autoclass:: gssapi.AddressType
6997
:show-inheritance:
7098

gssapi/raw/cython_types.pxd

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -105,6 +105,7 @@ cdef extern from "python_gssapi.h":
105105
OM_uint32 GSS_C_ANON_FLAG
106106
OM_uint32 GSS_C_TRANS_FLAG
107107
OM_uint32 GSS_C_PROT_READY_FLAG
108+
OM_uint32 GSS_C_DELEG_POLICY_FLAG
108109

109110
# address types
110111
OM_uint32 GSS_C_AF_UNSPEC

gssapi/raw/types.pyx

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -60,6 +60,7 @@ class RequirementFlag(IntEnum, metaclass=ExtendableEnum):
6060
anonymity = GSS_C_ANON_FLAG
6161
protection_ready = GSS_C_PROT_READY_FLAG
6262
transferable = GSS_C_TRANS_FLAG
63+
ok_as_delegate = GSS_C_DELEG_POLICY_FLAG
6364

6465

6566
class AddressType(IntEnum, metaclass=ExtendableEnum):

0 commit comments

Comments
 (0)