<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/> <meta http-equiv="X-UA-Compatible" content="IE=9"/> <meta name="generator" content="Doxygen 1.8.15"/> <meta name="viewport" content="width=device-width, initial-scale=1"/> <title>sss_certmap: Allow rule-based mapping of certificates to users</title> <link href="tabs.css" rel="stylesheet" type="text/css"/> <script type="text/javascript" src="jquery.js"></script> <script type="text/javascript" src="dynsections.js"></script> <link href="search/search.css" rel="stylesheet" type="text/css"/> <script type="text/javascript" src="search/searchdata.js"></script> <script type="text/javascript" src="search/search.js"></script> <link href="doxygen.css" rel="stylesheet" type="text/css" /> </head> <body> <div id="top"><!-- do not remove this div, it is closed by doxygen! --> <div id="titlearea"> <table cellspacing="0" cellpadding="0"> <tbody> <tr style="height: 56px;"> <td id="projectalign" style="padding-left: 0.5em;"> <div id="projectname">sss_certmap </div> </td> </tr> </tbody> </table> </div> <!-- end header part --> <!-- Generated by Doxygen 1.8.15 --> <script type="text/javascript"> /* @license magnet:?xt=urn:btih:cf05388f2679ee054f2beb29a391d25f4e673ac3&dn=gpl-2.0.txt GPL-v2 */ var searchBox = new SearchBox("searchBox", "search",false,'Search'); /* @license-end */ </script> <script type="text/javascript" src="menudata.js"></script> <script type="text/javascript" src="menu.js"></script> <script type="text/javascript"> /* @license magnet:?xt=urn:btih:cf05388f2679ee054f2beb29a391d25f4e673ac3&dn=gpl-2.0.txt GPL-v2 */ $(function() { initMenu('',true,false,'search.php','Search'); $(document).ready(function() { init_search(); }); }); /* @license-end */</script> <div id="main-nav"></div> </div><!-- top --> <!-- window showing the filter options --> <div id="MSearchSelectWindow" onmouseover="return searchBox.OnSearchSelectShow()" onmouseout="return searchBox.OnSearchSelectHide()" onkeydown="return searchBox.OnSearchSelectKey(event)"> </div> <!-- iframe showing the search results (closed by default) --> <div id="MSearchResultsWindow"> <iframe src="javascript:void(0)" frameborder="0" name="MSearchResults" id="MSearchResults"> </iframe> </div> <div class="header"> <div class="summary"> <a href="#define-members">Macros</a> | <a href="#typedef-members">Typedefs</a> | <a href="#func-members">Functions</a> </div> <div class="headertitle"> <div class="title">Allow rule-based mapping of certificates to users</div> </div> </div><!--header--> <div class="contents"> <table class="memberdecls"> <tr class="heading"><td colspan="2"><h2 class="groupheader"><a name="define-members"></a> Macros</h2></td></tr> <tr class="memitem:ga647ab117b6efe243171efc0a8115ae3b"><td class="memItemLeft" align="right" valign="top">#define </td><td class="memItemRight" valign="bottom"><a class="el" href="group__sss__certmap.html#ga647ab117b6efe243171efc0a8115ae3b">SSS_CERTMAP_MIN_PRIO</a>   UINT32_MAX</td></tr> <tr class="separator:ga647ab117b6efe243171efc0a8115ae3b"><td class="memSeparator" colspan="2"> </td></tr> </table><table class="memberdecls"> <tr class="heading"><td colspan="2"><h2 class="groupheader"><a name="typedef-members"></a> Typedefs</h2></td></tr> <tr class="memitem:gac80bf9c5fb28d4507e89ff7a36957c11"><td class="memItemLeft" align="right" valign="top">typedef void() </td><td class="memItemRight" valign="bottom"><a class="el" href="group__sss__certmap.html#gac80bf9c5fb28d4507e89ff7a36957c11">sss_certmap_ext_debug</a>(void *pvt, const char *file, long line, const char *function, const char *format,...)</td></tr> <tr class="separator:gac80bf9c5fb28d4507e89ff7a36957c11"><td class="memSeparator" colspan="2"> </td></tr> </table><table class="memberdecls"> <tr class="heading"><td colspan="2"><h2 class="groupheader"><a name="func-members"></a> Functions</h2></td></tr> <tr class="memitem:ga9c2cd86a51d26536d64b6e2830fa7ac8"><td class="memItemLeft" align="right" valign="top">int </td><td class="memItemRight" valign="bottom"><a class="el" href="group__sss__certmap.html#ga9c2cd86a51d26536d64b6e2830fa7ac8">sss_certmap_init</a> (TALLOC_CTX *mem_ctx, <a class="el" href="group__sss__certmap.html#gac80bf9c5fb28d4507e89ff7a36957c11">sss_certmap_ext_debug</a> *debug, void *debug_priv, struct sss_certmap_ctx **ctx)</td></tr> <tr class="memdesc:ga9c2cd86a51d26536d64b6e2830fa7ac8"><td class="mdescLeft"> </td><td class="mdescRight">Initialize certmap context. <a href="#ga9c2cd86a51d26536d64b6e2830fa7ac8">More...</a><br /></td></tr> <tr class="separator:ga9c2cd86a51d26536d64b6e2830fa7ac8"><td class="memSeparator" colspan="2"> </td></tr> <tr class="memitem:ga0eeecccf37d34dafb78ef0482e84926a"><td class="memItemLeft" align="right" valign="top">void </td><td class="memItemRight" valign="bottom"><a class="el" href="group__sss__certmap.html#ga0eeecccf37d34dafb78ef0482e84926a">sss_certmap_free_ctx</a> (struct sss_certmap_ctx *ctx)</td></tr> <tr class="memdesc:ga0eeecccf37d34dafb78ef0482e84926a"><td class="mdescLeft"> </td><td class="mdescRight">Free certmap context. <a href="#ga0eeecccf37d34dafb78ef0482e84926a">More...</a><br /></td></tr> <tr class="separator:ga0eeecccf37d34dafb78ef0482e84926a"><td class="memSeparator" colspan="2"> </td></tr> <tr class="memitem:ga0c23fb2d13a0371eb63464679719525d"><td class="memItemLeft" align="right" valign="top">int </td><td class="memItemRight" valign="bottom"><a class="el" href="group__sss__certmap.html#ga0c23fb2d13a0371eb63464679719525d">sss_certmap_add_rule</a> (struct sss_certmap_ctx *ctx, uint32_t priority, const char *match_rule, const char *map_rule, const char **domains)</td></tr> <tr class="memdesc:ga0c23fb2d13a0371eb63464679719525d"><td class="mdescLeft"> </td><td class="mdescRight">Add a rule to the certmap context. <a href="#ga0c23fb2d13a0371eb63464679719525d">More...</a><br /></td></tr> <tr class="separator:ga0c23fb2d13a0371eb63464679719525d"><td class="memSeparator" colspan="2"> </td></tr> <tr class="memitem:ga0a1d6c73648130a76b5d2aa3792ebd11"><td class="memItemLeft" align="right" valign="top">int </td><td class="memItemRight" valign="bottom"><a class="el" href="group__sss__certmap.html#ga0a1d6c73648130a76b5d2aa3792ebd11">sss_certmap_match_cert</a> (struct sss_certmap_ctx *ctx, const uint8_t *der_cert, size_t der_size)</td></tr> <tr class="memdesc:ga0a1d6c73648130a76b5d2aa3792ebd11"><td class="mdescLeft"> </td><td class="mdescRight">Check if a certificate matches any of the applied rules. <a href="#ga0a1d6c73648130a76b5d2aa3792ebd11">More...</a><br /></td></tr> <tr class="separator:ga0a1d6c73648130a76b5d2aa3792ebd11"><td class="memSeparator" colspan="2"> </td></tr> <tr class="memitem:ga5b3549a0b8bb1343351a0154eaf9d5c5"><td class="memItemLeft" align="right" valign="top">int </td><td class="memItemRight" valign="bottom"><a class="el" href="group__sss__certmap.html#ga5b3549a0b8bb1343351a0154eaf9d5c5">sss_certmap_get_search_filter</a> (struct sss_certmap_ctx *ctx, const uint8_t *der_cert, size_t der_size, char **filter, char ***domains)</td></tr> <tr class="memdesc:ga5b3549a0b8bb1343351a0154eaf9d5c5"><td class="mdescLeft"> </td><td class="mdescRight">Get the LDAP filter string for a certificate. <a href="#ga5b3549a0b8bb1343351a0154eaf9d5c5">More...</a><br /></td></tr> <tr class="separator:ga5b3549a0b8bb1343351a0154eaf9d5c5"><td class="memSeparator" colspan="2"> </td></tr> <tr class="memitem:ga7944c89e92883b7c2fe8c279b02bd1a8"><td class="memItemLeft" align="right" valign="top">void </td><td class="memItemRight" valign="bottom"><a class="el" href="group__sss__certmap.html#ga7944c89e92883b7c2fe8c279b02bd1a8">sss_certmap_free_filter_and_domains</a> (char *filter, char **domains)</td></tr> <tr class="memdesc:ga7944c89e92883b7c2fe8c279b02bd1a8"><td class="mdescLeft"> </td><td class="mdescRight">Free data returned by <a class="el" href="group__sss__certmap.html#ga5b3549a0b8bb1343351a0154eaf9d5c5">sss_certmap_get_search_filter</a>. <a href="#ga7944c89e92883b7c2fe8c279b02bd1a8">More...</a><br /></td></tr> <tr class="separator:ga7944c89e92883b7c2fe8c279b02bd1a8"><td class="memSeparator" colspan="2"> </td></tr> </table> <a name="details" id="details"></a><h2 class="groupheader">Detailed Description</h2> <p>Libsss_certmap provides a mechanism to map X509 certificate to users based on rules. </p> <h2 class="groupheader">Macro Definition Documentation</h2> <a id="ga647ab117b6efe243171efc0a8115ae3b"></a> <h2 class="memtitle"><span class="permalink"><a href="#ga647ab117b6efe243171efc0a8115ae3b">◆ </a></span>SSS_CERTMAP_MIN_PRIO</h2> <div class="memitem"> <div class="memproto"> <table class="memname"> <tr> <td class="memname">#define SSS_CERTMAP_MIN_PRIO   UINT32_MAX</td> </tr> </table> </div><div class="memdoc"> <p>Lowest priority of a rule </p> </div> </div> <h2 class="groupheader">Typedef Documentation</h2> <a id="gac80bf9c5fb28d4507e89ff7a36957c11"></a> <h2 class="memtitle"><span class="permalink"><a href="#gac80bf9c5fb28d4507e89ff7a36957c11">◆ </a></span>sss_certmap_ext_debug</h2> <div class="memitem"> <div class="memproto"> <table class="memname"> <tr> <td class="memname">typedef void() sss_certmap_ext_debug(void *pvt, const char *file, long line, const char *function, const char *format,...)</td> </tr> </table> </div><div class="memdoc"> <p>Typedef for external debug callback </p> </div> </div> <h2 class="groupheader">Function Documentation</h2> <a id="ga0c23fb2d13a0371eb63464679719525d"></a> <h2 class="memtitle"><span class="permalink"><a href="#ga0c23fb2d13a0371eb63464679719525d">◆ </a></span>sss_certmap_add_rule()</h2> <div class="memitem"> <div class="memproto"> <table class="memname"> <tr> <td class="memname">int sss_certmap_add_rule </td> <td>(</td> <td class="paramtype">struct sss_certmap_ctx * </td> <td class="paramname"><em>ctx</em>, </td> </tr> <tr> <td class="paramkey"></td> <td></td> <td class="paramtype">uint32_t </td> <td class="paramname"><em>priority</em>, </td> </tr> <tr> <td class="paramkey"></td> <td></td> <td class="paramtype">const char * </td> <td class="paramname"><em>match_rule</em>, </td> </tr> <tr> <td class="paramkey"></td> <td></td> <td class="paramtype">const char * </td> <td class="paramname"><em>map_rule</em>, </td> </tr> <tr> <td class="paramkey"></td> <td></td> <td class="paramtype">const char ** </td> <td class="paramname"><em>domains</em> </td> </tr> <tr> <td></td> <td>)</td> <td></td><td></td> </tr> </table> </div><div class="memdoc"> <p>Add a rule to the certmap context. </p> <dl class="params"><dt>Parameters</dt><dd> <table class="params"> <tr><td class="paramdir">[in]</td><td class="paramname">ctx</td><td>certmap context previously initialized with <a class="el" href="group__sss__certmap.html#ga9c2cd86a51d26536d64b6e2830fa7ac8">sss_certmap_init</a> </td></tr> <tr><td class="paramdir">[in]</td><td class="paramname">priority</td><td>priority of the rule, 0 is the hightest priority, the lowest is SSS_CERTMAP_MIN_PRIO </td></tr> <tr><td class="paramdir">[in]</td><td class="paramname">match_rule</td><td>String with the matching rule </td></tr> <tr><td class="paramdir">[in]</td><td class="paramname">map_rule</td><td>String with the mapping rule </td></tr> <tr><td class="paramdir">[in]</td><td class="paramname">domains</td><td>NULL-terminated string array with a list of domains the rule should be valid for, i.e. only this domains should be searched for matching users</td></tr> </table> </dd> </dl> <dl class="section return"><dt>Returns</dt><dd><ul> <li>0: success </li> </ul> </dd></dl> </div> </div> <a id="ga0eeecccf37d34dafb78ef0482e84926a"></a> <h2 class="memtitle"><span class="permalink"><a href="#ga0eeecccf37d34dafb78ef0482e84926a">◆ </a></span>sss_certmap_free_ctx()</h2> <div class="memitem"> <div class="memproto"> <table class="memname"> <tr> <td class="memname">void sss_certmap_free_ctx </td> <td>(</td> <td class="paramtype">struct sss_certmap_ctx * </td> <td class="paramname"><em>ctx</em></td><td>)</td> <td></td> </tr> </table> </div><div class="memdoc"> <p>Free certmap context. </p> <dl class="params"><dt>Parameters</dt><dd> <table class="params"> <tr><td class="paramdir">[in]</td><td class="paramname">ctx</td><td>certmap context previously initialized with <a class="el" href="group__sss__certmap.html#ga9c2cd86a51d26536d64b6e2830fa7ac8">sss_certmap_init</a>, may be NULL </td></tr> </table> </dd> </dl> </div> </div> <a id="ga7944c89e92883b7c2fe8c279b02bd1a8"></a> <h2 class="memtitle"><span class="permalink"><a href="#ga7944c89e92883b7c2fe8c279b02bd1a8">◆ </a></span>sss_certmap_free_filter_and_domains()</h2> <div class="memitem"> <div class="memproto"> <table class="memname"> <tr> <td class="memname">void sss_certmap_free_filter_and_domains </td> <td>(</td> <td class="paramtype">char * </td> <td class="paramname"><em>filter</em>, </td> </tr> <tr> <td class="paramkey"></td> <td></td> <td class="paramtype">char ** </td> <td class="paramname"><em>domains</em> </td> </tr> <tr> <td></td> <td>)</td> <td></td><td></td> </tr> </table> </div><div class="memdoc"> <p>Free data returned by <a class="el" href="group__sss__certmap.html#ga5b3549a0b8bb1343351a0154eaf9d5c5">sss_certmap_get_search_filter</a>. </p> <dl class="params"><dt>Parameters</dt><dd> <table class="params"> <tr><td class="paramdir">[in]</td><td class="paramname">filter</td><td>LDAP filter strings returned by sss_certmap_get_search_filter </td></tr> <tr><td class="paramdir">[in]</td><td class="paramname">domains</td><td>string array of domains returned by sss_certmap_get_search_filter </td></tr> </table> </dd> </dl> </div> </div> <a id="ga5b3549a0b8bb1343351a0154eaf9d5c5"></a> <h2 class="memtitle"><span class="permalink"><a href="#ga5b3549a0b8bb1343351a0154eaf9d5c5">◆ </a></span>sss_certmap_get_search_filter()</h2> <div class="memitem"> <div class="memproto"> <table class="memname"> <tr> <td class="memname">int sss_certmap_get_search_filter </td> <td>(</td> <td class="paramtype">struct sss_certmap_ctx * </td> <td class="paramname"><em>ctx</em>, </td> </tr> <tr> <td class="paramkey"></td> <td></td> <td class="paramtype">const uint8_t * </td> <td class="paramname"><em>der_cert</em>, </td> </tr> <tr> <td class="paramkey"></td> <td></td> <td class="paramtype">size_t </td> <td class="paramname"><em>der_size</em>, </td> </tr> <tr> <td class="paramkey"></td> <td></td> <td class="paramtype">char ** </td> <td class="paramname"><em>filter</em>, </td> </tr> <tr> <td class="paramkey"></td> <td></td> <td class="paramtype">char *** </td> <td class="paramname"><em>domains</em> </td> </tr> <tr> <td></td> <td>)</td> <td></td><td></td> </tr> </table> </div><div class="memdoc"> <p>Get the LDAP filter string for a certificate. </p> <dl class="params"><dt>Parameters</dt><dd> <table class="params"> <tr><td class="paramdir">[in]</td><td class="paramname">ctx</td><td>certmap context previously initialized with <a class="el" href="group__sss__certmap.html#ga9c2cd86a51d26536d64b6e2830fa7ac8">sss_certmap_init</a> </td></tr> <tr><td class="paramdir">[in]</td><td class="paramname">der_cert</td><td>binary blog with the DER encoded certificate </td></tr> <tr><td class="paramdir">[in]</td><td class="paramname">der_size</td><td>size of the certificate blob </td></tr> <tr><td class="paramdir">[out]</td><td class="paramname">filter</td><td>LDAP filter string, caller should free the data by calling sss_certmap_free_filter_and_domains </td></tr> <tr><td class="paramdir">[out]</td><td class="paramname">domains</td><td>NULL-terminated array of strings with the domains the rule applies, caller should free the data by calling sss_certmap_free_filter_and_domains</td></tr> </table> </dd> </dl> <dl class="section return"><dt>Returns</dt><dd><ul> <li>0: certificate matches a rule</li> <li>ENOENT: certificate does not match</li> <li>EINVAL: internal error </li> </ul> </dd></dl> </div> </div> <a id="ga9c2cd86a51d26536d64b6e2830fa7ac8"></a> <h2 class="memtitle"><span class="permalink"><a href="#ga9c2cd86a51d26536d64b6e2830fa7ac8">◆ </a></span>sss_certmap_init()</h2> <div class="memitem"> <div class="memproto"> <table class="memname"> <tr> <td class="memname">int sss_certmap_init </td> <td>(</td> <td class="paramtype">TALLOC_CTX * </td> <td class="paramname"><em>mem_ctx</em>, </td> </tr> <tr> <td class="paramkey"></td> <td></td> <td class="paramtype"><a class="el" href="group__sss__certmap.html#gac80bf9c5fb28d4507e89ff7a36957c11">sss_certmap_ext_debug</a> * </td> <td class="paramname"><em>debug</em>, </td> </tr> <tr> <td class="paramkey"></td> <td></td> <td class="paramtype">void * </td> <td class="paramname"><em>debug_priv</em>, </td> </tr> <tr> <td class="paramkey"></td> <td></td> <td class="paramtype">struct sss_certmap_ctx ** </td> <td class="paramname"><em>ctx</em> </td> </tr> <tr> <td></td> <td>)</td> <td></td><td></td> </tr> </table> </div><div class="memdoc"> <p>Initialize certmap context. </p> <dl class="params"><dt>Parameters</dt><dd> <table class="params"> <tr><td class="paramdir">[in]</td><td class="paramname">mem_ctx</td><td>Talloc memory context, may be NULL </td></tr> <tr><td class="paramdir">[in]</td><td class="paramname">debug</td><td>Callback to handle debug output, may be NULL </td></tr> <tr><td class="paramdir">[in]</td><td class="paramname">debug_priv</td><td>Private data for debugging callback, may be NULL </td></tr> <tr><td class="paramdir">[out]</td><td class="paramname">ctx</td><td>New certmap context</td></tr> </table> </dd> </dl> <dl class="section return"><dt>Returns</dt><dd><ul> <li>0: success</li> <li>ENOMEM: failed to allocate internal Talloc context</li> <li>EINVAL: ctx is NULL </li> </ul> </dd></dl> </div> </div> <a id="ga0a1d6c73648130a76b5d2aa3792ebd11"></a> <h2 class="memtitle"><span class="permalink"><a href="#ga0a1d6c73648130a76b5d2aa3792ebd11">◆ </a></span>sss_certmap_match_cert()</h2> <div class="memitem"> <div class="memproto"> <table class="memname"> <tr> <td class="memname">int sss_certmap_match_cert </td> <td>(</td> <td class="paramtype">struct sss_certmap_ctx * </td> <td class="paramname"><em>ctx</em>, </td> </tr> <tr> <td class="paramkey"></td> <td></td> <td class="paramtype">const uint8_t * </td> <td class="paramname"><em>der_cert</em>, </td> </tr> <tr> <td class="paramkey"></td> <td></td> <td class="paramtype">size_t </td> <td class="paramname"><em>der_size</em> </td> </tr> <tr> <td></td> <td>)</td> <td></td><td></td> </tr> </table> </div><div class="memdoc"> <p>Check if a certificate matches any of the applied rules. </p> <dl class="params"><dt>Parameters</dt><dd> <table class="params"> <tr><td class="paramdir">[in]</td><td class="paramname">ctx</td><td>certmap context previously initialized with <a class="el" href="group__sss__certmap.html#ga9c2cd86a51d26536d64b6e2830fa7ac8">sss_certmap_init</a> </td></tr> <tr><td class="paramdir">[in]</td><td class="paramname">der_cert</td><td>binary blog with the DER encoded certificate </td></tr> <tr><td class="paramdir">[in]</td><td class="paramname">der_size</td><td>size of the certificate blob</td></tr> </table> </dd> </dl> <dl class="section return"><dt>Returns</dt><dd><ul> <li>0: certificate matches a rule</li> <li>ENOENT: certificate does not match</li> <li>EINVAL: internal error </li> </ul> </dd></dl> </div> </div> </div><!-- contents --> <!-- start footer part --> <hr class="footer"/><address class="footer"><small> Generated by  <a href="http://www.doxygen.org/index.html"> <img class="footer" src="doxygen.png" alt="doxygen"/> </a> 1.8.15 </small></address> </body> </html>