Object identifier

Select a security mechanism by using the following object identifier (OID):

• For the Kerberos security mechanism, specify gss_mech_krb5. This corresponds to object identifier {1 2 840 113554 1 2 2}. The Kerberos mechanism is used when the initiator will use a Kerberos service ticket for authentication. For backward compatability, you can specify gss_mech_krb5_old which corresponds to object identifier {1 3 5 1 5 2}. gss_mech_krb5_old is only valid with DES and DES3 session keys.
• For SPKM (Simple Public Key Mechanism), specify gss_mech_spkm3. This corresponds to object identifier {1 3 6 1 5 5 1 3}. The SPKM mechanism is used when the initiator will use an X.509 certificate for authentication.
• For LIPKEY (Low Infrastructure Public Key Mechanism), specify gss_mech_lipkey. This corresponds to object identifier {1 3 6 1 5 5 9}. The LIPKEY mechanism is used when the initiator will use a userid and password for authentication.

Select a name type by using the following OIDs:

• For a name, specify GSS_C_NT_USER_NAME. This corresponds to object identifier {1 2 840 113554 1 2 1 1}.
• For the Kerberos mechanism, the user name is the character string representation of a Kerberos principal and is either the fully-qualified principal@realm or the unqualified principal. The local realm will be added if an unqualified principal name is specified.
• For the SPKM mechanism, the user name is either the distinguished name for the user or just the common name component. A name is assumed to be a distinguished name if it contains an '=' character, otherwise it is assumed to be the common name component. For example, "CN=John Doe,O=IBM®,C=US" is a distinguished name while "John Doe" is the common name component.
• For the LIPKEY mechanism, the user name is interpreted differently depending upon whether it is a source name or a target name. A target name is handled as described for the SPKM mechanism. A source name must be a name acceptable as a system userid on the target system.
• For a service, specify GSS_C_NT_HOSTBASED_SERVICE. This corresponds to object identifier {1 2 840 113554 1 2 1 4}. For the Kerberos mechanism, a service is a character string that is fully-qualified (service@host) or unqualified (service). The local host name will be added if an unqualified service name is specified.
• For the Kerberos mechanism, the service name is converted to service/canonical-name@kerberos-realm. The canonical-name is obtained by doing a DNS lookup for the supplied host name and obtaining the canonical host name from the name server.
• For the SPKM and LIPKEY mechanisms, the service name is converted to 'service/host' and used as the common name component for the server providing the service. Note that the supplied host name is used without conversion to a canonical host name.
• For a Kerberos principal name, specify gss_nt_krb5_name. This name type is supported only by the Kerberos mechanism and corresponds to object identifier {1 2 840 113554 1 2 2 1}. This is the same as GSS_C_NT_USER_NAME except internal name representations are not created for the SPKM and LIPKEY mechanisms.
• For a principal structure created by the krb5_parse_name() routine, specify gss_nt_krb5_principal. This name type is supported only by the Kerberos mechanism and corresponds to object identifier {1 2 840 113554 1 2 2 2}.
• For a user identifier, specify GSS_C_NT_STRING_UID_NAME for the string representation of the uid or GSS_C_NT_MACHINE_UID_NAME for the binary representation of the uid. These correspond to object identifiers {1 2 840 113554 1 2 1 3} and {1 2 840 113554 1 2 1 2}. The uid will be mapped to a host userid on the local system. For the Kerberos mechanism, the userid will then be further mapped to a Kerberos principal. For the SPKM and LIPKEY mechanisms, the host userid becomes the user name.

The gss_OID data type contains tree-structured values defined by ISO and has the following definition:

typedef struct gss_OID_desc_struct {
    OM_uint32                               length;
    void *                                  elements;
} gss_OID_desc, *gss_OID;