Consider the case where a server has received a name from a client and needs to look up that name in an access control list. An access control list, or ACL, is a list of principals with particular access permissions.
One way to do the lookup would be as follows:
Import the client name into GSS-API internal format with gss_import_name(), if the name has not already been imported.
In some cases, the server will receive a name in internal format, so this step will not be necessary. For example, a server might look up the client's own name. During context initiation, the client's own name is passed in internal format.
Import each name in the ACL with gss_import_name().
Compare each imported ACL name with the imported client's name, using gss_compare_name().
This process is shown in the following figure. In this case, Step 1 is assumed to be needed.
The previous approach of comparing names individually is acceptable when there are only a few names. When there are a large number of names, using the gss_canonicalize_name() function is more efficient.
This approach uses the following steps:
Import the client's name with gss_import_name(), if the name has not already been imported.
As with the previous method of comparing names, if the name is already in internal format, this step is unnecessary.
Use gss_canonicalize_name() to produce a mechanism name version of the client's name.
Use gss_export_name() to produce an exported name, which is the client's name as a contiguous string.
Compare the exported client's name with each name in the ACL by using memcmp(), which is a fast, low-overhead function.
This process is shown in the following figure. Again, assume that the server needs to import the name that is received from the client.
Because gss_export_name() expects a mechanism name (MN), you must run gss_canonicalize_name() on the client's name first.
See the gss_export_name(3GSS), gss_import_name(3GSS), and gss_canonicalize_name(3GSS) for more information.