package krb

  1. Overview
  2. Docs
Legend:
Library
Module
Module type
Parameter
Class
Class type
val in_memory_for_principal_with_s4u2self_cred : ?server_cred_cache:t -> Principal.Name.t -> t Async.Deferred.Or_error.t

This function uses the S4U2Self Kerberos extension to get a ticket from the passed-in principal to the owner of server_cred_cache (or the default cred cache, if that is None).

This is quite different from a normal ticket - the user you currently have credentials for is the server, not the client, in the resulting ticket. This means that you are impersonating the client - but only to other apps running as the same principal as you! This can be useful for keeping internal communication within an app Kerberized, even if it is on behalf of other users, without having to have a more explicit trust relationship and tag RPCs with the "acting" user.

This is also different from a normal cred-cache, as it will never contain a TGT! The cache itself is tagged with this fact, so functions like Tgt.keep_valid_indefinitely will fail if they see a cache like this, and others like Cred_cache.keep_valid will behave differently (in that case, by renewing the expected non-TGT).

NOTE: If the principal you are requesting is also the server's principal, this function will return an error.

val ensure_s4u2self_valid : ?valid_for_at_least:Time_float_unix.Span.t -> ?server_cred_cache:t -> t -> Principal.Name.t -> unit Async.Deferred.Or_error.t

Looks for a ticket in t where the server is the named principal. If there is one, ensure it is valid for at least valid_for_at_least, renewing if it isn't.

If this is a TGT-holding cache (that is, if t didn't originate from in_memory_for_prinicpal_with_s4u2self_cred), this will fail.

OCaml

Innovation. Community. Security.