sec_login_certify_identity-Certify a (validated) login context.
#include <dce/sec_login.h> boolean32 sec_login_certify_identity( sec_login_handle_t login_context, error_status_t *status);
Input
- login_context
Login context to be certified.
Output
- status
The completion status.
Thesec_login_certify_identity() routine certifies a (validated) login context; that is, demonstrates its trustworthiness (for the purpose of basing access decisions on information carried in it) to parties other than the principal/account to which it is associated.In typical implementations this is accomplished by using the login context to execute a protected RPC (of authentication type rpc_c_authn_dce_secret, of authorisation type rpc_c_authz_dce, and of protection level rpc_c_protect_level_pkt_integ) to the local host's SCD. If an implementation of
sec_login_certify_identity() does not support the same strong guarantee of "infallible" certification thatsec_login_valid_and_cert_ident() does, this fact (as well as the information about the strength of the guarantee that actually is supported) must be noted in the implementation's documentation ofsec_login_certify_identity() . (SeeFurther Discussion of Certification for details.)Typically, this routine is called by a host's login program, which uses the information contained in the login context to set security attributes of the logging-in user (principal/account) that will be subsequently used for access control to the local host's resources (such as computing power)-see
sec_login_get_pwent() ,sec_login_get_groups() andsec_login_get_expiration() .In typical implementations, if this operation succeeds, it updates local security registration information on the local host (information derived from information in the (now-certified) login context). This locally held information can be used for subsequent logins if the RS is unreachable (for example, because of a network partition), though such information is usable only for access to local resources (that is, it endows a process with local identity information, but not with a login context that can be used for protected RPCs).
The routine returns a non-0 (TRUE) value if the certification was successful, and 0 (FALSE) otherwise.
- error_status_ok
- sec_login_s_config
- sec_login_s_context_invalid
- sec_login_s_default_use
Functions:sec_login_get_pwent() ,sec_login_get_groups() ,sec_login_get_expiration() ,sec_login_valid_and_cert_ident() .Protocols:
scd_protected_noop() .
Contents | Next section | Index |