File tree Expand file tree Collapse file tree 3 files changed +30
-0
lines changed Expand file tree Collapse file tree 3 files changed +30
-0
lines changed Original file line number Diff line number Diff line change @@ -65,6 +65,34 @@ imported in the high-level API :mod:`gssapi` module:
6565autoclass :: gssapi.RequirementFlag
6666 :show-inheritance:
6767
68+ The ``ok_as_delegate `` flag corresponds to the C level flag
69+ ``GSS_C_DELEG_POLICY_FLAG ``. This flag is similar to ``delegate_to_peer ``
70+ except it only delegates if the KDC delegation policies for the service
71+ principal allow it to use delegation. This is typically used on Microsoft
72+ domain environments to control whether constrained or unconstrained delegation
73+ is allowed for a service principal. By setting this flag, the delegation
74+ process follows the same behaviour as delegation on SSPI/Windows.
75+
76+ Here are the four cases when either of these flags are set or not.
77+
78+ Neither flag set
79+ No delegation occurs.
80+
81+ delegate_to_peer
82+ Always try to delegate regardless of the KDC delegation policies.
83+ ``delegate_to_peer `` is set in the return flags if successful.
84+
85+ ok_as_delegate
86+ Try to delegate but only if the KDC trusts the service principal for
87+ delegation. ``delegate_to_peer `` and ``ok_as_delegate `` are set in the
88+ return flags if successful.
89+
90+ delegate_to_peer | ok_as_delegate
91+ Acts like ``delegate_to_peer `` being set but will also set
92+ ``ok_as_delegate `` in the return flags if the service principal was trusted
93+ for delegation by the KDC.
94+
95+
6896.. autoclass :: gssapi.AddressType
6997 :show-inheritance:
7098
Original file line number Diff line number Diff line change @@ -105,6 +105,7 @@ cdef extern from "python_gssapi.h":
105105 OM_uint32 GSS_C_ANON_FLAG
106106 OM_uint32 GSS_C_TRANS_FLAG
107107 OM_uint32 GSS_C_PROT_READY_FLAG
108+ OM_uint32 GSS_C_DELEG_POLICY_FLAG
108109
109110 # address types
110111 OM_uint32 GSS_C_AF_UNSPEC
Original file line number Diff line number Diff line change @@ -60,6 +60,7 @@ class RequirementFlag(IntEnum, metaclass=ExtendableEnum):
6060 anonymity = GSS_C_ANON_FLAG
6161 protection_ready = GSS_C_PROT_READY_FLAG
6262 transferable = GSS_C_TRANS_FLAG
63+ ok_as_delegate = GSS_C_DELEG_POLICY_FLAG
6364
6465
6566class AddressType (IntEnum , metaclass= ExtendableEnum ):
You can’t perform that action at this time.
0 commit comments