Rely on module ordering for localauth

Register built-in localauth modules in the order we want them used by default, and document accordingly. ticket: 7665
krb5 · Jun 27, 2013 · a6765ca · a6765ca
1 parent e0a7479
commit a6765ca
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 44 deletions.
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
@@ -749,30 +749,30 @@ for the local authorization interface, which affects the relationship
 between Kerberos principals and local system accounts.  The following
 built-in modules exist for this interface:
 
-**auth_to_local**
-    This module processes **auth_to_local** values in the default
-    realm's section, and applies the default method if no
-    **auth_to_local** values exist.
-
-**an2ln**
-    This module authorizes a principal to a local account if the
-    principal name maps to the local account name.
-
 **default**
     This module implements the **DEFAULT** type for **auth_to_local**
     values.
 
-**k5login**
-    This module authorizes a principal to a local account according to
-    the account's :ref:`.k5login(5)` file.
+**rule**
+    This module implements the **RULE** type for **auth_to_local**
+    values.
 
 **names**
     This module looks for an **auth_to_local_names** mapping for the
     principal name.
 
-**rule**
-    This module implements the **RULE** type for **auth_to_local**
-    values.
+**auth_to_local**
+    This module processes **auth_to_local** values in the default
+    realm's section, and applies the default method if no
+    **auth_to_local** values exist.
+
+**k5login**
+    This module authorizes a principal to a local account according to
+    the account's :ref:`.k5login(5)` file.
+
+**an2ln**
+    This module authorizes a principal to a local account if the
+    principal name maps to the local account name.
 
 
 PKINIT options

diff --git a/doc/plugindev/localauth.rst b/doc/plugindev/localauth.rst
@@ -33,10 +33,10 @@ residual string of the **auth_to_local** value.
 
 If the module does not set **an2ln_types** but does implement
 **an2ln**, the module's **an2ln** method will be invoked for all
-:c:func:`krb5_aname_to_localname` operations before the built-in
-mechanisms are applied, with *type* and *residual* set to NULL.  The
-module can return KRB5_LNAME_NO_TRANS to defer mapping to the built-in
-mechanisms.
+:c:func:`krb5_aname_to_localname` operations unless an earlier module
+determines a mapping, with *type* and *residual* set to NULL.  The
+module can return KRB5_LNAME_NO_TRANS to defer mapping to later
+modules.
 
 If a module implements **an2ln**, it must also implement
 **free_string** to ensure that memory is allocated and deallocated

diff --git a/src/lib/krb5/os/localauth.c b/src/lib/krb5/os/localauth.c
@@ -100,18 +100,6 @@ check_conflict(krb5_context context, struct localauth_module_handle **list,
     return 0;
 }
 
-/* If mod is in list, move it to the back. */
-static void
-move_to_back(krb5_plugin_initvt_fn *list, krb5_plugin_initvt_fn mod)
-{
-    for (; *list != NULL && *list != mod; list++);
-    if (*list == NULL)
-        return;
-    for (; *list != NULL; list++)
-        *list = *(list + 1);
-    *(list - 1) = mod;
-}
-
 /* Get the registered localauth modules including all built-in modules, in the
  * proper order. */
 static krb5_error_code
@@ -123,18 +111,18 @@ get_modules(krb5_context context, krb5_plugin_initvt_fn **modules_out)
     *modules_out = NULL;
 
     /* Register built-in modules. */
-    ret = k5_plugin_register(context, intf, "auth_to_local",
-                             localauth_auth_to_local_initvt);
+    ret = k5_plugin_register(context, intf, "default",
+                             localauth_default_initvt);
     if (ret)
         return ret;
-    ret = k5_plugin_register(context, intf, "names", localauth_names_initvt);
+    ret = k5_plugin_register(context, intf, "rule", localauth_rule_initvt);
     if (ret)
         return ret;
-    ret = k5_plugin_register(context, intf, "default",
-                             localauth_default_initvt);
+    ret = k5_plugin_register(context, intf, "names", localauth_names_initvt);
     if (ret)
         return ret;
-    ret = k5_plugin_register(context, intf, "rule", localauth_rule_initvt);
+    ret = k5_plugin_register(context, intf, "auth_to_local",
+                             localauth_auth_to_local_initvt);
     if (ret)
         return ret;
     ret = k5_plugin_register(context, intf, "k5login",
@@ -149,13 +137,6 @@ get_modules(krb5_context context, krb5_plugin_initvt_fn **modules_out)
     if (ret)
         return ret;
 
-    /* Move built-in userok and untyped an2ln localauth modules to back so we
-     * try loaded modules first. */
-    move_to_back(*modules_out, localauth_names_initvt);
-    move_to_back(*modules_out, localauth_auth_to_local_initvt);
-    move_to_back(*modules_out, localauth_k5login_initvt);
-    move_to_back(*modules_out, localauth_an2ln_initvt);
-
     return 0;
 }