Consider the case where a server has received a name from a client and needs to look up that name in an access control list. An access control list, or ACL, is a list of principals with particular access permissions. One way to do the lookup would be as follows:
Import the client name into GSS-API internal format with gss_import_name(), if the name has not already been imported.
In some cases, the server will receive a name in internal format, so this step will not be necessary. For example, a server might look up the client's own name. During context initiation, the client's own name is passed in internal format.
Import each name in the ACL with gss_import_name().
This process is shown in the following figure. In this case, Step 1 is assumed to be needed.
The previous approach of comparing names individually is acceptable when there are only a few names. When there are a large number of names, using the gss_canonicalize_name() function is more efficient. This approach uses the following steps.
Import the client's name with gss_import_name(), if the name has not already been imported.
As with the previous method of comparing names, if the name is already in internal format, this step is unnecessary.
Use gss_canonicalize_name() to produce a mechanism name version of the client's name.
This process is shown in the following figure. Again, assume that the server needs to import the name that is received from the client.
Because gss_export_name() expects a mechanism name (MN), you must run gss_canonicalize_name() on the client's name first.