document ok_as_delegate in admin.texinfo

pull up r2293, r22304 from trunk

 ------------------------------------------------------------------------
 r22304 | ghudson | 2009-05-03 14:47:27 -0400 (Sun, 03 May 2009) | 2 lines
 Changed paths:
    M /trunk/doc/admin.texinfo

 Fix formatting of ok_as_delegate documentation in admin guide.
 ------------------------------------------------------------------------
 r22293 | ghudson | 2009-04-30 11:08:50 -0400 (Thu, 30 Apr 2009) | 2 lines
 Changed paths:
    M /trunk/doc/admin.texinfo

 Document ok_as_delegate in the admin guide.

ticket: 6485
tags: pullup
target_version: 1.7
version_fixed: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22342 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/doc/admin.texinfo b/doc/admin.texinfo
index fbfa91f9555f7f7e8631936b65a5850b575aa8ca..0ca5d2568fc09c93b17f1bd9dff40a540c0173b4 100644 (file)
--- a/doc/admin.texinfo
+++ b/doc/admin.texinfo
@@ -2274,6 +2274,14 @@ will probably never need to use this option.)
 ``+password_changing_service'' option sets the KRB5_KDB_PWCHANGE_SERVICE
 flag on the principal in the database.
 
+@item @{-|+@}ok_as_delegate
+The ``+ok_as_delegate'' option sets a flag in tickets issued for the
+service principal.  Some client programs may recognize this flag as
+indicating that it is okay to delegate credentials to the service.  If
+ok_as_delegate is set on a cross-realm TGT, it indicates that the
+foreign realm's ok_as_delegate flags should be honored by clients in
+the local realm.  The default is ``-ok_as_delegate''.
+
 @item -randkey
 Sets the key for the principal to a random value (@code{add_principal}
 only).  @value{COMPANY} recommends using this option for host keys.
@@ -3101,6 +3109,13 @@ hardware device before being allowed to kinit. (Sets the
 @samp{KRB5_KDB_REQURES_HW_AUTH} flag.)  @code{-requires_hwauth} clears
 this flag.
 
+@itemx @{-|+@}ok_as_delegate
+@code{+ok_as_delegate} sets the OK-AS-DELEGATE flag on tickets issued for use
+with this principal as the service, which clients may use as a hint that
+credentials can and should be delegated when authenticating to the service.
+(Sets the @samp{KRB5_KDB_OK_AS_DELEGATE} flag.) @code{-ok_as_delegate} clears
+this flag.
+
 @itemx @{-|+@}allow_svr
 @code{-allow_svr} prohibits the issuance of service tickets for principals. (Sets the @samp{KRB5_KDB_DISALLOW_SVR} flag.) @code{+allow_svr} clears this flag.