[gnome-settings-daemon/wip/identity] wip: start to fold kerberos support into gsd



commit 98a4c291a7c40976eb0a5b42b3eb26f3c3091aef
Author: Ray Strode <rstrode redhat com>
Date:   Wed May 23 13:48:49 2012 -0400

    wip: start to fold kerberos support into gsd

 configure.ac                                       |   31 +
 data/Makefile.am                                   |    1 +
 ...tings-daemon.plugins.identity.gschema.xml.in.in |   14 +
 plugins/Makefile.am                                |    6 +
 plugins/identity/Makefile.am                       |  102 ++
 plugins/identity/gsd-alarm.c                       |  539 ++++++++
 plugins/identity/gsd-alarm.h                       |   67 +
 plugins/identity/gsd-identity-manager-private.h    |   47 +
 plugins/identity/gsd-identity-manager.c            |  204 +++
 plugins/identity/gsd-identity-manager.h            |  135 ++
 plugins/identity/gsd-identity-plugin.c             |  186 +++
 plugins/identity/gsd-identity-plugin.h             |   59 +
 plugins/identity/gsd-identity.c                    |   57 +
 plugins/identity/gsd-identity.h                    |   64 +
 plugins/identity/gsd-kerberos-identity-manager.c   | 1329 ++++++++++++++++++++
 plugins/identity/gsd-kerberos-identity-manager.h   |   61 +
 plugins/identity/gsd-kerberos-identity.c           |  905 +++++++++++++
 plugins/identity/gsd-kerberos-identity.h           |   85 ++
 plugins/identity/identity.gnome-settings-plugin.in |    8 +
 plugins/identity/test-identity.c                   |    7 +
 20 files changed, 3907 insertions(+), 0 deletions(-)
---
diff --git a/configure.ac b/configure.ac
index 65dc0d7..3bea571 100644
--- a/configure.ac
+++ b/configure.ac
@@ -290,6 +290,35 @@ fi
 
 AC_SUBST(NSS_DATABASE)
 
+dnl ==============================================
+dnl kerberos section
+dnl ==============================================
+AC_ARG_ENABLE([kerberos],
+              AS_HELP_STRING([--enable-kerberos], [Use Kerberos]),
+              [with_kerberos=$enableval],
+              [with_kerberos=no])
+
+AC_PATH_PROG([KRB5_CONFIG], krb5-config, none, $PATH:/usr/kerberos/bin)
+
+if test "x$KRB5_CONFIG" != "xnone"; then
+    KRB5_LIBS="`${KRB5_CONFIG} --libs krb5`"
+    KRB5_CFLAGS="`${KRB5_CONFIG} --cflags krb5`"
+    have_kerberos=yes
+else
+    KRB5_LIBS=""
+    KRB5_CFLAGS=""
+    have_kerberos=no
+fi
+AC_SUBST(KRB5_CFLAGS)
+AC_SUBST(KRB5_LIBS)
+
+if test "$with_kerberos" = "yes" ; then
+  if test "$have_kerberos" = "no" ; then
+      AC_MSG_ERROR([kerberos support requested, but not available])
+  fi
+  AC_DEFINE(HAVE_KERBEROS, 1, [Define to 1 if kerberos is available])
+fi
+AM_CONDITIONAL(BUILD_KERBEROS, [test x$with_kerberos = xyes])
 
 dnl ==============================================
 dnl power section
@@ -461,6 +490,7 @@ plugins/color/Makefile
 plugins/common/Makefile
 plugins/cursor/Makefile
 plugins/dummy/Makefile
+plugins/identity/Makefile
 plugins/power/Makefile
 plugins/housekeeping/Makefile
 plugins/keyboard/Makefile
@@ -482,6 +512,7 @@ data/org.gnome.settings-daemon.plugins.gschema.xml.in
 data/org.gnome.settings-daemon.plugins.xsettings.gschema.xml.in
 data/org.gnome.settings-daemon.plugins.keyboard.gschema.xml.in
 data/org.gnome.settings-daemon.plugins.power.gschema.xml.in
+data/org.gnome.settings-daemon.plugins.identity.gschema.xml.in
 data/org.gnome.settings-daemon.plugins.color.gschema.xml.in
 data/org.gnome.settings-daemon.plugins.media-keys.gschema.xml.in
 data/org.gnome.settings-daemon.peripherals.gschema.xml.in
diff --git a/data/Makefile.am b/data/Makefile.am
index 5fc9f64..1ea31ec 100644
--- a/data/Makefile.am
+++ b/data/Makefile.am
@@ -12,6 +12,7 @@ gsettings_SCHEMAS =							\
 	org.gnome.settings-daemon.plugins.keyboard.gschema.xml		\
 	org.gnome.settings-daemon.plugins.power.gschema.xml		\
 	org.gnome.settings-daemon.plugins.color.gschema.xml		\
+	org.gnome.settings-daemon.plugins.identity.gschema.xml		\
 	org.gnome.settings-daemon.plugins.media-keys.gschema.xml	\
 	org.gnome.settings-daemon.plugins.xsettings.gschema.xml		\
 	org.gnome.settings-daemon.plugins.housekeeping.gschema.xml	\
diff --git a/data/org.gnome.settings-daemon.plugins.identity.gschema.xml.in.in b/data/org.gnome.settings-daemon.plugins.identity.gschema.xml.in.in
new file mode 100644
index 0000000..caa5a4c
--- /dev/null
+++ b/data/org.gnome.settings-daemon.plugins.identity.gschema.xml.in.in
@@ -0,0 +1,14 @@
+<schemalist>
+  <schema gettext-domain="@GETTEXT_PACKAGE@" id="org.gnome.settings-daemon.plugins.identity" path="/org/gnome/settings-daemon/plugins/identity/">
+    <key name="active" type="b">
+      <default>true</default>
+      <_summary>Activation of this plugin</_summary>
+      <_description>Whether this plugin would be activated by gnome-settings-daemon or not</_description>
+    </key>
+    <key name="priority" type="i">
+      <default>1</default>
+      <_summary>Priority to use for this plugin</_summary>
+      <_description>Priority to use for this plugin in gnome-settings-daemon startup queue</_description>
+    </key>
+  </schema>
+</schemalist>
diff --git a/plugins/Makefile.am b/plugins/Makefile.am
index a4aa666..418c86e 100644
--- a/plugins/Makefile.am
+++ b/plugins/Makefile.am
@@ -33,6 +33,12 @@ else
 disabled_plugins += smartcard
 endif
 
+if BUILD_KERBEROS
+enabled_plugins += identity
+else
+disabled_plugins += identity
+endif
+
 if HAVE_GUDEV
 enabled_plugins += orientation
 else
diff --git a/plugins/identity/Makefile.am b/plugins/identity/Makefile.am
new file mode 100644
index 0000000..68a5d23
--- /dev/null
+++ b/plugins/identity/Makefile.am
@@ -0,0 +1,102 @@
+plugin_name = identity
+
+plugin_LTLIBRARIES = \
+	libidentity.la
+
+libidentity_la_SOURCES = \
+	gsd-identity-plugin.h            \
+	gsd-identity-plugin.c            \
+	gsd-alarm.h                      \
+	gsd-alarm.c                      \
+	gsd-identity.h                   \
+	gsd-identity.c                   \
+	gsd-kerberos-identity.c          \
+	gsd-identity-manager.h           \
+	gsd-identity-manager-private.h   \
+	gsd-identity-manager.c           \
+	gsd-kerberos-identity-manager.h  \
+	gsd-kerberos-identity-manager.c
+
+libidentity_la_CPPFLAGS = \
+	-I$(top_srcdir)/gnome-settings-daemon \
+	-DGNOME_SETTINGS_LOCALEDIR=\""$(datadir)/locale"\" \
+	-DSYSCONFDIR=\""$(sysconfdir)"\" \
+	-DLIBDIR=\""$(libdir)"\" \
+	-DGSD_SMARTCARD_MANAGER_NSS_DB=\""$(NSS_DATABASE)"\" \
+	$(AM_CPPFLAGS)
+
+libidentity_la_CFLAGS = \
+	$(PLUGIN_CFLAGS)	\
+	$(SETTINGS_PLUGIN_CFLAGS) \
+	$(GNOME_CFLAGS)	\
+	$(KRB5_CFLAGS)	\
+	$(AM_CFLAGS)
+
+libidentity_la_LDFLAGS = \
+	$(GSD_PLUGIN_LDFLAGS)
+
+libidentity_la_LIBADD = \
+	$(SETTINGS_PLUGIN_LIBS)	\
+	$(KRB5_LIBS)
+
+noinst_PROGRAMS =				\
+	test-identity
+
+test_identity_SOURCES =			\
+	gsd-alarm.h                      \
+	gsd-alarm.c                      \
+	gsd-identity.h                   \
+	gsd-identity.c                   \
+	gsd-kerberos-identity.c          \
+	gsd-identity-manager.h           \
+	gsd-identity-manager-private.h   \
+	gsd-identity-manager.c           \
+	gsd-kerberos-identity-manager.h  \
+	gsd-kerberos-identity-manager.c  \
+	test-identity.c			 \
+	$(NULL)
+
+test_identity_CPPFLAGS = \
+	-I$(top_srcdir)/data/					\
+	-I$(top_srcdir)/gnome-settings-daemon			\
+	-I$(top_srcdir)/plugins/common				\
+	-I$(top_srcdir)/plugins/media-keys/cut-n-paste		\
+	-DBINDIR=\"$(bindir)\"					\
+	-DPIXMAPDIR=\""$(pkgdatadir)"\"				\
+	-DGTKBUILDERDIR=\""$(pkgdatadir)"\"			\
+	-DGNOME_SETTINGS_LOCALEDIR=\""$(datadir)/locale"\"	\
+	$(AM_CPPFLAGS)
+
+test_identity_CFLAGS = \
+	$(PLUGIN_CFLAGS)	\
+	$(SETTINGS_PLUGIN_CFLAGS) \
+	$(GNOME_CFLAGS)	\
+	$(KRB5_CFLAGS)	\
+	$(AM_CFLAGS)
+
+test_identity_LDFLAGS = \
+	$(GSD_PLUGIN_LDFLAGS)
+
+test_identity_LDADD = \
+	$(top_builddir)/gnome-settings-daemon/libgsd.la		\
+	$(top_builddir)/plugins/common/libcommon.la			\
+	$(top_builddir)/plugins/media-keys/cut-n-paste/libgvc.la	\
+	$(SETTINGS_DAEMON_LIBS)			\
+	$(SETTINGS_PLUGIN_LIBS)	\
+	$(KRB5_LIBS)
+
+ GSD_INTLTOOL_PLUGIN_RULE@
+
+plugin_in_files = \
+	identity.gnome-settings-plugin.in
+
+plugin_DATA = $(plugin_in_files:.gnome-settings-plugin.in=.gnome-settings-plugin)
+
+EXTRA_DIST = \
+	$(plugin_in_files)
+
+CLEANFILES = \
+	$(plugin_DATA)
+
+DISTCLEANFILES = \
+	$(plugin_DATA)
diff --git a/plugins/identity/gsd-alarm.c b/plugins/identity/gsd-alarm.c
new file mode 100644
index 0000000..2f24a0b
--- /dev/null
+++ b/plugins/identity/gsd-alarm.c
@@ -0,0 +1,539 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*-
+ *
+ * Copyright (C) 2012 Red Hat, Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2, or (at your option)
+ * any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Author: Ray Strode
+ * Based on work by Colin Walters
+ */
+
+#include "config.h"
+
+#include "gsd-alarm.h"
+
+#ifdef HAVE_TIMERFD
+#include <sys/timerfd.h>
+#endif
+
+#include <unistd.h>
+#include <string.h>
+
+#include <glib.h>
+#include <gio/gio.h>
+#include <gio/gunixinputstream.h>
+
+typedef struct {
+        GSource      *source;
+        GInputStream *stream;
+} Timer;
+
+typedef struct {
+        GSource *source;
+} Timeout;
+
+#define MAX_TIMEOUT_INTERVAL (10 * 1000)
+
+typedef enum {
+    GSD_ALARM_TYPE_UNSCHEDULED,
+    GSD_ALARM_TYPE_TIMER,
+    GSD_ALARM_TYPE_TIMEOUT,
+} GsdAlarmType;
+
+struct _GsdAlarmPrivate
+{
+        GCancellable *cancellable;
+        GDateTime    *time;
+        GDateTime    *previous_wakeup_time;
+        GMainContext *context;
+        GSource      *immediate_wakeup_source;
+
+        GsdAlarmType type;
+        union {
+                Timer   timer;
+                Timeout timeout;
+        };
+};
+
+enum {
+        FIRED,
+        REARMED,
+        NUMBER_OF_SIGNALS,
+};
+
+static void schedule_wakeups (GsdAlarm *self);
+static void schedule_wakeups_with_timeout_source (GsdAlarm *self);
+static guint signals[NUMBER_OF_SIGNALS] = { 0 };
+
+G_DEFINE_TYPE (GsdAlarm, gsd_alarm, G_TYPE_OBJECT);
+
+static void
+clear_scheduled_immediate_wakeup (GsdAlarm *self)
+{
+        if (self->priv->immediate_wakeup_source != NULL) {
+                g_source_destroy (self->priv->immediate_wakeup_source);
+                g_source_unref (self->priv->immediate_wakeup_source);
+                self->priv->immediate_wakeup_source = NULL;
+        }
+}
+
+static void
+clear_scheduled_timer_wakeups (GsdAlarm *self)
+{
+#ifdef HAVE_TIMERFD
+        GError *error;
+        gboolean is_closed;
+
+        if (self->priv->timer.stream == NULL) {
+                return;
+        }
+
+        g_source_destroy (self->priv->timer.source);
+        g_source_unref (self->priv->timer.source);
+        self->priv->timer.source = NULL;
+
+        error = NULL;
+        is_closed = g_input_stream_close (self->priv->timer.stream,
+                                          NULL,
+                                          &error);
+
+        if (!is_closed) {
+                g_warning ("GsdAlarm: could not close timer stream: %s",
+                           error->message);
+                g_error_free (error);
+        }
+
+        g_object_unref (self->priv->timer.stream);
+        self->priv->timer.stream = NULL;
+
+#endif
+}
+
+static void
+clear_scheduled_timeout_wakeups (GsdAlarm *self)
+{
+        if (self->priv->timeout.source != NULL) {
+                g_source_destroy (self->priv->timeout.source);
+                g_source_unref (self->priv->timeout.source);
+                self->priv->timeout.source = NULL;
+        }
+}
+
+static void
+clear_scheduled_wakeups (GsdAlarm *self)
+{
+        clear_scheduled_immediate_wakeup (self);
+
+        switch (self->priv->type) {
+                case GSD_ALARM_TYPE_TIMER:
+                        clear_scheduled_timer_wakeups (self);
+                        break;
+
+                case GSD_ALARM_TYPE_TIMEOUT:
+                        clear_scheduled_timeout_wakeups (self);
+                        break;
+
+                default:
+                        break;
+        }
+
+        if (self->priv->cancellable != NULL) {
+                if (!g_cancellable_is_cancelled (self->priv->cancellable)) {
+                        g_cancellable_cancel (self->priv->cancellable);
+                }
+
+                g_object_unref (self->priv->cancellable);
+                self->priv->cancellable = NULL;
+        }
+
+        if (self->priv->context != NULL) {
+                g_main_context_unref (self->priv->context);
+                self->priv->context = NULL;
+        }
+
+        if (self->priv->previous_wakeup_time != NULL) {
+                g_date_time_unref (self->priv->previous_wakeup_time);
+                self->priv->previous_wakeup_time = NULL;
+        }
+
+        self->priv->type = GSD_ALARM_TYPE_UNSCHEDULED;
+}
+
+static void
+gsd_alarm_finalize (GObject *object)
+{
+        GsdAlarm *self = GSD_ALARM (object);
+
+        if (self->priv->cancellable != NULL &&
+            !g_cancellable_is_cancelled (self->priv->cancellable)) {
+                g_cancellable_cancel (self->priv->cancellable);
+        }
+
+        clear_scheduled_wakeups (self);
+
+        if (self->priv->time != NULL) {
+                g_date_time_unref (self->priv->time);
+        }
+
+        if (self->priv->previous_wakeup_time != NULL) {
+                g_date_time_unref (self->priv->previous_wakeup_time);
+        }
+
+        G_OBJECT_CLASS (gsd_alarm_parent_class)->finalize (object);
+}
+
+static void
+gsd_alarm_class_init (GsdAlarmClass *klass)
+{
+        GObjectClass *object_class;
+
+        object_class = G_OBJECT_CLASS (klass);
+
+        object_class->finalize = gsd_alarm_finalize;
+
+        g_type_class_add_private (klass, sizeof (GsdAlarmPrivate));
+
+        signals[FIRED] = g_signal_new ("fired",
+                                       G_TYPE_FROM_CLASS (klass),
+                                       G_SIGNAL_RUN_LAST,
+                                       0,
+                                       NULL, NULL, NULL,
+                                       G_TYPE_NONE, 0);
+
+        signals[REARMED] = g_signal_new ("rearmed",
+                                         G_TYPE_FROM_CLASS (klass),
+                                         G_SIGNAL_RUN_LAST,
+                                         0,
+                                         NULL, NULL, NULL,
+                                         G_TYPE_NONE, 0);
+}
+
+static void
+gsd_alarm_init (GsdAlarm *self)
+{
+        self->priv = G_TYPE_INSTANCE_GET_PRIVATE (self,
+                                                  GSD_TYPE_ALARM,
+                                                  GsdAlarmPrivate);
+        self->priv->type = GSD_ALARM_TYPE_UNSCHEDULED;
+}
+
+static void
+on_cancelled (GCancellable *cancellable,
+              gpointer      user_data)
+{
+        GsdAlarm *self = GSD_ALARM (user_data);
+
+        clear_scheduled_wakeups (self);
+}
+
+static void
+fire_alarm (GsdAlarm *self)
+{
+        g_signal_emit (G_OBJECT (self), signals[FIRED], 0);
+}
+
+static void
+rearm_alarm (GsdAlarm *self)
+{
+        g_signal_emit (G_OBJECT (self), signals[REARMED], 0);
+}
+
+static void
+fire_or_rearm_alarm (GsdAlarm *self)
+{
+        GTimeSpan  time_until_fire;
+        GTimeSpan  previous_time_until_fire;
+        GDateTime *now;
+
+        now = g_date_time_new_now_local ();
+        time_until_fire = g_date_time_difference (self->priv->time, now);
+
+        if (self->priv->previous_wakeup_time == NULL) {
+                self->priv->previous_wakeup_time = now;
+
+                /* If, according to the time, we're past when we should have fired,
+                 * then fire the alarm.
+                 */
+                if (time_until_fire <= 0) {
+                        fire_alarm (self);
+                }
+        } else {
+                previous_time_until_fire = g_date_time_difference (self->priv->time,
+                                                                   self->priv->previous_wakeup_time);
+
+                g_date_time_unref (self->priv->previous_wakeup_time);
+                self->priv->previous_wakeup_time = now;
+
+                /* If, according to the time, we're past when we should have fired,
+                 * and this is the first wakeup where that's been true then fire
+                 * the alarm. The first check makes sure we don't fire prematurely,
+                 * and the second check makes sure we don't fire more than once
+                 */
+                if (time_until_fire <= 0 && previous_time_until_fire > 0) {
+                        fire_alarm (self);
+
+                /* If, according to the time, we're before when we should fire,
+                 * and we previously fired the alarm, then we've jumped back in
+                 * time and need to rearm the alarm.
+                 */
+                } else if (time_until_fire > 0 && previous_time_until_fire <= 0) {
+                        rearm_alarm (self);
+                }
+        }
+}
+
+static gboolean
+on_immediate_wakeup_source_ready (GsdAlarm *self)
+{
+        g_return_val_if_fail (self->priv->type != GSD_ALARM_TYPE_UNSCHEDULED, FALSE);
+
+        if (g_cancellable_is_cancelled (self->priv->cancellable)) {
+                return FALSE;
+        }
+
+        fire_or_rearm_alarm (self);
+
+        return FALSE;
+}
+
+#ifdef HAVE_TIMERFD
+static gboolean
+on_timer_source_ready (GObject  *stream,
+                       GsdAlarm *self)
+{
+        gint64 number_of_fires;
+        gssize bytes_read;
+
+        g_return_val_if_fail (GSD_IS_ALARM (self), FALSE);
+        g_return_val_if_fail (self->priv->type == GSD_ALARM_TYPE_TIMER, FALSE);
+
+        if (g_cancellable_is_cancelled (self->priv->cancellable)) {
+                return FALSE;
+        }
+
+        bytes_read = g_pollable_input_stream_read_nonblocking (G_POLLABLE_INPUT_STREAM (stream),
+                                                               &number_of_fires,
+                                                               sizeof (gint64),
+                                                               NULL,
+                                                               NULL);
+
+        if (bytes_read == sizeof (gint64)) {
+                if (number_of_fires < 0 || number_of_fires > 1) {
+                        g_warning ("GsdAlarm: expected timerfd to report firing once,"
+                                   "but it reported firing %ld times\n",
+                                   (long) number_of_fires);
+                }
+        }
+
+        fire_or_rearm_alarm (self);
+        return TRUE;
+}
+#endif
+
+static gboolean
+schedule_wakeups_with_timerfd (GsdAlarm *self)
+{
+#ifdef HAVE_TIMERFD
+        struct itimerspec timer_spec;
+        int fd;
+        int result;
+        static gboolean seen_before = FALSE;
+
+        if (!seen_before) {
+                g_debug ("GsdAlarm: trying to use kernel timer");
+                seen_before = TRUE;
+        }
+
+        fd = timerfd_create (CLOCK_REALTIME, TFD_CLOEXEC | TFD_NONBLOCK);
+
+        if (fd < 0) {
+                g_debug ("GsdAlarm: could not create timer fd: %m");
+                return FALSE;
+        }
+
+        memset (&timer_spec, 0, sizeof (timer_spec));
+        timer_spec.it_value.tv_sec = g_date_time_to_unix (self->priv->time) + 1;
+
+        result = timerfd_settime (fd,
+                                  TFD_TIMER_ABSTIME | TFD_TIMER_CANCEL_ON_SET,
+                                  &timer_spec,
+                                  NULL);
+
+        if (result < 0) {
+                g_debug ("GsdAlarm: could not set timer: %m");
+                return FALSE;
+        }
+
+        self->priv->type = GSD_ALARM_TYPE_TIMER;
+        self->priv->timer.stream = g_unix_input_stream_new (fd, TRUE);
+
+        self->priv->timer.source = g_pollable_input_stream_create_source (G_POLLABLE_INPUT_STREAM (self->priv->timer.stream),
+                                                                          self->priv->cancellable);
+        g_source_set_callback (self->priv->timer.source,
+                               (GSourceFunc)
+                               on_timer_source_ready,
+                               g_object_ref (self),
+                               (GDestroyNotify)
+                               g_object_unref);
+        g_source_attach (self->priv->timer.source,
+                         self->priv->context);
+
+        return TRUE;
+
+#endif /* HAVE_TIMERFD */
+
+    return FALSE;
+}
+
+static gboolean
+on_timeout_source_ready (GsdAlarm *self)
+{
+        g_return_val_if_fail (GSD_IS_ALARM (self), FALSE);
+        g_return_val_if_fail (self->priv->type != GSD_ALARM_TYPE_UNSCHEDULED, FALSE);
+        g_return_val_if_fail (self->priv->type == GSD_ALARM_TYPE_TIMEOUT, FALSE);
+
+        if (g_cancellable_is_cancelled (self->priv->cancellable)) {
+                return FALSE;
+        }
+
+        fire_or_rearm_alarm (self);
+
+        if (g_cancellable_is_cancelled (self->priv->cancellable)) {
+                return FALSE;
+        }
+
+        schedule_wakeups_with_timeout_source (self);
+
+        return FALSE;
+}
+
+static void
+schedule_wakeups_with_timeout_source (GsdAlarm *self)
+{
+        GDateTime *now;
+        GTimeSpan time_span;
+        guint interval;
+
+        self->priv->type = GSD_ALARM_TYPE_TIMEOUT;
+
+        now = g_date_time_new_now_local ();
+        time_span = g_date_time_difference (self->priv->time, now);
+        g_date_time_unref (now);
+
+        time_span = CLAMP (time_span, 1000 * G_TIME_SPAN_MILLISECOND, G_MAXUINT * G_TIME_SPAN_MILLISECOND);
+        interval = (guint) time_span / G_TIME_SPAN_MILLISECOND;
+
+        /* We poll every 10 seconds or so because we want to catch time skew
+         */
+        interval = MIN (interval, MAX_TIMEOUT_INTERVAL);
+
+        self->priv->timeout.source = g_timeout_source_new (interval);
+        g_source_set_callback (self->priv->timeout.source,
+                               (GSourceFunc)
+                               on_timeout_source_ready,
+                               g_object_ref (self),
+                               (GDestroyNotify)
+                               g_object_unref);
+
+        g_source_attach (self->priv->timeout.source,
+                         self->priv->context);
+}
+
+static void
+schedule_wakeups (GsdAlarm *self)
+{
+        gboolean wakeup_scheduled;
+
+        wakeup_scheduled = schedule_wakeups_with_timerfd (self);
+
+        if (!wakeup_scheduled) {
+                static gboolean seen_before = FALSE;
+
+                if (!seen_before) {
+                        g_debug ("GsdAlarm: falling back to polling timeout");
+                        seen_before = TRUE;
+                }
+                schedule_wakeups_with_timeout_source (self);
+        }
+}
+
+static void
+schedule_immediate_wakeup (GsdAlarm *self)
+{
+        self->priv->immediate_wakeup_source = g_idle_source_new ();
+
+        g_source_set_callback (self->priv->immediate_wakeup_source,
+                               (GSourceFunc)
+                               on_immediate_wakeup_source_ready,
+                               g_object_ref (self),
+                               (GDestroyNotify)
+                               g_object_unref);
+        g_source_attach (self->priv->immediate_wakeup_source,
+                         self->priv->context);
+}
+
+void
+gsd_alarm_set_time (GsdAlarm     *self,
+                    GDateTime    *time,
+                    GCancellable *cancellable)
+{
+        if (g_cancellable_is_cancelled (cancellable)) {
+                return;
+        }
+
+        if (self->priv->cancellable != NULL) {
+                if (!g_cancellable_is_cancelled (self->priv->cancellable)) {
+                        g_cancellable_cancel (cancellable);
+                }
+
+                g_object_unref (self->priv->cancellable);
+                self->priv->cancellable = NULL;
+        }
+
+        if (cancellable == NULL) {
+                self->priv->cancellable = g_cancellable_new ();
+        } else {
+                self->priv->cancellable = g_object_ref (cancellable);
+        }
+
+        g_cancellable_connect (self->priv->cancellable,
+                               G_CALLBACK (on_cancelled),
+                               self,
+                               NULL);
+        self->priv->time = g_date_time_ref (time);
+        self->priv->context = g_main_context_ref (g_main_context_default ());
+
+        schedule_wakeups (self);
+
+        /* Wake up right away, in case it's already expired leaving the gate */
+        schedule_immediate_wakeup (self);
+}
+
+GDateTime *
+gsd_alarm_get_time (GsdAlarm *self)
+{
+        return self->priv->time;
+}
+
+GsdAlarm *
+gsd_alarm_new (void)
+{
+        GsdAlarm *self;
+
+        self = GSD_ALARM (g_object_new (GSD_TYPE_ALARM, NULL));
+
+        return GSD_ALARM (self);
+}
diff --git a/plugins/identity/gsd-alarm.h b/plugins/identity/gsd-alarm.h
new file mode 100644
index 0000000..da17d4c
--- /dev/null
+++ b/plugins/identity/gsd-alarm.h
@@ -0,0 +1,67 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*-
+ *
+ * Copyright (C) 2012 Red Hat, Inc.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Authors: Ray Strode
+ */
+
+#ifndef __GSD_ALARM_H__
+#define __GSD_ALARM_H__
+
+#include <glib.h>
+#include <glib-object.h>
+#include <gio/gio.h>
+
+G_BEGIN_DECLS
+
+#define GSD_TYPE_ALARM             (gsd_alarm_get_type ())
+#define GSD_ALARM(obj)             (G_TYPE_CHECK_INSTANCE_CAST ((obj), GSD_TYPE_ALARM, GsdAlarm))
+#define GSD_ALARM_CLASS(klass)     (G_TYPE_CHECK_CLASS_CAST ((klass), GSD_TYPE_ALARM, GsdAlarmClass))
+#define GSD_IS_ALARM(obj)          (G_TYPE_CHECK_INSTANCE_TYPE ((obj), GSD_TYPE_ALARM))
+#define GSD_IS_ALARM_CLASS(klass)  (G_TYPE_CHECK_CLASS_TYPE ((klass), GSD_TYPE_ALARM))
+#define GSD_ALARM_GET_CLASS(obj)   (G_TYPE_INSTANCE_GET_CLASS((obj), GSD_TYPE_ALARM, GsdAlarmClass))
+
+typedef struct _GsdAlarm        GsdAlarm;
+typedef struct _GsdAlarmClass   GsdAlarmClass;
+typedef struct _GsdAlarmPrivate GsdAlarmPrivate;
+
+struct _GsdAlarm
+{
+        GObject parent;
+
+        GsdAlarmPrivate *priv;
+};
+
+struct _GsdAlarmClass
+{
+        GObjectClass parent_class;
+
+        void     (* fired)       (GsdAlarm *alarm);
+        void     (* rearmed)     (GsdAlarm *alarm);
+};
+
+GType         gsd_alarm_get_type (void);
+
+GsdAlarm     *gsd_alarm_new      (void);
+void          gsd_alarm_set_time (GsdAlarm     *alarm,
+                                  GDateTime    *time,
+                                  GCancellable *cancellable);
+GDateTime    *gsd_alarm_get_time (GsdAlarm     *alarm);
+G_END_DECLS
+
+#endif /* __GSD_ALARM_H__ */
diff --git a/plugins/identity/gsd-identity-manager-private.h b/plugins/identity/gsd-identity-manager-private.h
new file mode 100644
index 0000000..80b4308
--- /dev/null
+++ b/plugins/identity/gsd-identity-manager-private.h
@@ -0,0 +1,47 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*-
+ *
+ * Copyright (C) 2012 Red Hat, Inc.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Authors: Ray Strode
+ */
+
+#ifndef __GSD_IDENTITY_MANAGER_PRIVATE_H__
+#define __GSD_IDENTITY_MANAGER_PRIVATE_H__
+
+#include <glib.h>
+#include <glib-object.h>
+
+#include "gsd-identity-manager.h"
+
+G_BEGIN_DECLS
+
+void      _gsd_identity_manager_emit_identity_added (GsdIdentityManager *identity_manager,
+                                                     GsdIdentity        *identity);
+void      _gsd_identity_manager_emit_identity_removed (GsdIdentityManager *identity_manager,
+                                                       GsdIdentity        *identity);
+void      _gsd_identity_manager_emit_identity_refreshed (GsdIdentityManager *identity_manager,
+                                                         GsdIdentity        *identity);
+void      _gsd_identity_manager_emit_identity_renamed (GsdIdentityManager *identity_manager,
+                                                       GsdIdentity        *identity);
+void      _gsd_identity_manager_emit_identity_needs_renewal (GsdIdentityManager *identity_manager,
+                                                             GsdIdentity        *identity);
+void      _gsd_identity_manager_emit_identity_expired (GsdIdentityManager *identity_manager,
+                                                       GsdIdentity        *identity);
+G_END_DECLS
+
+#endif /* __GSD_IDENTITY_MANAGER_PRIVATE_H__ */
diff --git a/plugins/identity/gsd-identity-manager.c b/plugins/identity/gsd-identity-manager.c
new file mode 100644
index 0000000..5249d2c
--- /dev/null
+++ b/plugins/identity/gsd-identity-manager.c
@@ -0,0 +1,204 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*-
+ *
+ * Copyright (C) 2012 Red Hat, Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2, or (at your option)
+ * any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ */
+
+#include "config.h"
+
+#include <glib-object.h>
+#include <glib/gi18n.h>
+#include <gio/gio.h>
+
+#include "gsd-identity-manager.h"
+#include "gsd-identity-manager-private.h"
+
+enum {
+        IDENTITY_ADDED,
+        IDENTITY_REMOVED,
+        IDENTITY_RENAMED,
+        IDENTITY_REFRESHED,
+        IDENTITY_NEEDS_RENEWAL,
+        IDENTITY_EXPIRED,
+        NUMBER_OF_SIGNALS,
+};
+
+static guint signals[NUMBER_OF_SIGNALS] = { 0 };
+
+G_DEFINE_INTERFACE (GsdIdentityManager, gsd_identity_manager, G_TYPE_OBJECT);
+
+static void
+gsd_identity_manager_default_init (GsdIdentityManagerInterface *interface)
+{
+      signals[IDENTITY_ADDED] = g_signal_new ("identity-added",
+                                              G_TYPE_FROM_INTERFACE (interface),
+                                              G_SIGNAL_RUN_LAST,
+                                              G_STRUCT_OFFSET (GsdIdentityManagerInterface, identity_added),
+                                              NULL, NULL, NULL,
+                                              G_TYPE_NONE, 1, GSD_TYPE_IDENTITY);
+      signals[IDENTITY_REMOVED] = g_signal_new ("identity-removed",
+                                                G_TYPE_FROM_INTERFACE (interface),
+                                                G_SIGNAL_RUN_LAST,
+                                                G_STRUCT_OFFSET (GsdIdentityManagerInterface, identity_removed),
+                                                NULL, NULL, NULL,
+                                                G_TYPE_NONE, 1, GSD_TYPE_IDENTITY);
+      signals[IDENTITY_REFRESHED] = g_signal_new ("identity-refreshed",
+                                                  G_TYPE_FROM_INTERFACE (interface),
+                                                  G_SIGNAL_RUN_LAST,
+                                                  G_STRUCT_OFFSET (GsdIdentityManagerInterface, identity_refreshed),
+                                                  NULL, NULL, NULL,
+                                                  G_TYPE_NONE, 1, GSD_TYPE_IDENTITY);
+      signals[IDENTITY_RENAMED] = g_signal_new ("identity-renamed",
+                                                G_TYPE_FROM_INTERFACE (interface),
+                                                G_SIGNAL_RUN_LAST,
+                                                G_STRUCT_OFFSET (GsdIdentityManagerInterface, identity_renamed),
+                                                NULL, NULL, NULL,
+                                                G_TYPE_NONE, 1, GSD_TYPE_IDENTITY);
+      signals[IDENTITY_NEEDS_RENEWAL] = g_signal_new ("identity-needs-renewal",
+                                                      G_TYPE_FROM_INTERFACE (interface),
+                                                      G_SIGNAL_RUN_LAST,
+                                                      G_STRUCT_OFFSET (GsdIdentityManagerInterface, identity_needs_renewal),
+                                                      NULL, NULL, NULL,
+                                                      G_TYPE_NONE, 1, GSD_TYPE_IDENTITY);
+      signals[IDENTITY_EXPIRED] = g_signal_new ("identity-expired",
+                                                G_TYPE_FROM_INTERFACE (interface),
+                                                G_SIGNAL_RUN_LAST,
+                                                G_STRUCT_OFFSET (GsdIdentityManagerInterface, identity_expired),
+                                                NULL, NULL, NULL,
+                                                G_TYPE_NONE, 1, GSD_TYPE_IDENTITY);
+}
+
+GQuark
+gsd_identity_manager_error_quark (void)
+{
+        static GQuark error_quark = 0;
+
+        if (error_quark == 0) {
+                error_quark = g_quark_from_static_string ("gsd-identity-manager-error");
+        }
+
+        return error_quark;
+}
+
+void
+gsd_identity_manager_list_identities (GsdIdentityManager   *self,
+                                      GCancellable         *cancellable,
+                                      GAsyncReadyCallback   callback,
+                                      gpointer              user_data)
+{
+        GSD_IDENTITY_MANAGER_GET_IFACE (self)->list_identities (self,
+                                                               cancellable,
+                                                               callback,
+                                                               user_data);
+}
+
+GList *
+gsd_identity_manager_list_identities_finish (GsdIdentityManager  *self,
+                                             GAsyncResult        *result,
+                                             GError             **error)
+{
+        return GSD_IDENTITY_MANAGER_GET_IFACE (self)->list_identities_finish (self,
+                                                                             result,
+                                                                             error);
+}
+
+void
+gsd_identity_manager_renew_identity (GsdIdentityManager   *self,
+                                     GsdIdentity          *identity,
+                                     GCancellable         *cancellable,
+                                     GAsyncReadyCallback   callback,
+                                     gpointer              user_data)
+{
+        GSD_IDENTITY_MANAGER_GET_IFACE (self)->renew_identity (self, identity, cancellable, callback, user_data);
+}
+
+void
+gsd_identity_manager_renew_identity_finish (GsdIdentityManager  *self,
+                                            GAsyncResult        *result,
+                                            GError             **error)
+{
+        GSD_IDENTITY_MANAGER_GET_IFACE (self)->renew_identity_finish (self, result, error);
+}
+
+void
+gsd_identity_manager_sign_identity_out (GsdIdentityManager   *self,
+                                        GsdIdentity          *identity,
+                                        GCancellable         *cancellable,
+                                        GAsyncReadyCallback   callback,
+                                        gpointer              user_data)
+{
+        GSD_IDENTITY_MANAGER_GET_IFACE (self)->sign_identity_out (self, identity, cancellable, callback, user_data);
+}
+
+void
+gsd_identity_manager_sign_identity_out_finish (GsdIdentityManager  *self,
+                                               GAsyncResult        *result,
+                                               GError             **error)
+{
+        GSD_IDENTITY_MANAGER_GET_IFACE (self)->sign_identity_out_finish (self, result, error);
+}
+
+char *
+gsd_identity_manager_name_identity (GsdIdentityManager *self,
+                                    GsdIdentity        *identity)
+{
+        return GSD_IDENTITY_MANAGER_GET_IFACE (self)->name_identity (self,
+                                                                     identity);
+}
+
+void
+_gsd_identity_manager_emit_identity_added (GsdIdentityManager *self,
+                                           GsdIdentity        *identity)
+{
+        g_signal_emit (G_OBJECT (self), signals[IDENTITY_ADDED], 0, identity);
+}
+
+void
+_gsd_identity_manager_emit_identity_removed (GsdIdentityManager *self,
+                                             GsdIdentity        *identity)
+{
+        g_signal_emit (G_OBJECT (self), signals[IDENTITY_REMOVED], 0, identity);
+}
+
+void
+_gsd_identity_manager_emit_identity_renamed (GsdIdentityManager *self,
+                                             GsdIdentity        *identity)
+{
+        g_signal_emit (G_OBJECT (self), signals[IDENTITY_RENAMED], 0, identity);
+}
+
+void
+_gsd_identity_manager_emit_identity_refreshed (GsdIdentityManager *self,
+                                               GsdIdentity        *identity)
+{
+        g_signal_emit (G_OBJECT (self), signals[IDENTITY_REFRESHED], 0, identity);
+}
+
+void
+_gsd_identity_manager_emit_identity_needs_renewal (GsdIdentityManager *self,
+                                                   GsdIdentity        *identity)
+{
+        g_signal_emit (G_OBJECT (self), signals[IDENTITY_NEEDS_RENEWAL], 0, identity);
+}
+
+void
+_gsd_identity_manager_emit_identity_expired (GsdIdentityManager *self,
+                                             GsdIdentity        *identity)
+{
+        g_signal_emit (G_OBJECT (self), signals[IDENTITY_EXPIRED], 0, identity);
+}
+
diff --git a/plugins/identity/gsd-identity-manager.h b/plugins/identity/gsd-identity-manager.h
new file mode 100644
index 0000000..1bce128
--- /dev/null
+++ b/plugins/identity/gsd-identity-manager.h
@@ -0,0 +1,135 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*-
+ *
+ * Copyright (C) 2012 Red Hat, Inc.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Authors: Ray Strode
+ */
+
+#ifndef __GSD_IDENTITY_MANAGER_H__
+#define __GSD_IDENTITY_MANAGER_H__
+
+#include <glib.h>
+#include <glib-object.h>
+#include <gio/gio.h>
+
+#include "gsd-identity.h"
+
+G_BEGIN_DECLS
+
+#define GSD_TYPE_IDENTITY_MANAGER             (gsd_identity_manager_get_type ())
+#define GSD_IDENTITY_MANAGER(obj)             (G_TYPE_CHECK_INSTANCE_CAST ((obj), GSD_TYPE_IDENTITY_MANAGER, GsdIdentityManager))
+#define GSD_IDENTITY_MANAGER_CLASS(klass)     (G_TYPE_CHECK_CLASS_CAST ((klass), GSD_TYPE_IDENTITY_MANAGER, GsdIdentityManagerInterface))
+#define GSD_IS_IDENTITY_MANAGER(obj)          (G_TYPE_CHECK_INSTANCE_TYPE ((obj), GSD_TYPE_IDENTITY_MANAGER))
+#define GSD_IDENTITY_MANAGER_GET_IFACE(obj)   (G_TYPE_INSTANCE_GET_INTERFACE((obj), GSD_TYPE_IDENTITY_MANAGER, GsdIdentityManagerInterface))
+#define GSD_IDENTITY_MANAGER_ERROR            (gsd_identity_manager_error_quark ())
+
+typedef struct _GsdIdentityManager          GsdIdentityManager;
+typedef struct _GsdIdentityManagerInterface GsdIdentityManagerInterface;
+typedef enum   _GsdIdentityManagerError     GsdIdentityManagerError;
+
+struct _GsdIdentityManagerInterface
+{
+        GTypeInterface base_interface;
+
+        /* Signals */
+        void      (* identity_added)    (GsdIdentityManager *identity_manager,
+                                         GsdIdentity        *identity);
+
+        void      (* identity_removed)  (GsdIdentityManager *identity_manager,
+                                         GsdIdentity        *identity);
+        void      (* identity_renamed)  (GsdIdentityManager *identity_manager,
+                                         GsdIdentity        *identity);
+        void      (* identity_refreshed)  (GsdIdentityManager *identity_manager,
+                                           GsdIdentity        *identity);
+        void      (* identity_needs_renewal)  (GsdIdentityManager *identity_manager,
+                                               GsdIdentity        *identity);
+        void      (* identity_expired)  (GsdIdentityManager *identity_manager,
+                                         GsdIdentity        *identity);
+
+        /* Virtual Functions */
+        void      (* list_identities)        (GsdIdentityManager   *identity_manager,
+                                              GCancellable        *cancellable,
+                                              GAsyncReadyCallback  callback,
+                                              gpointer             user_data);
+        GList *   (* list_identities_finish) (GsdIdentityManager  *identity_manager,
+                                              GAsyncResult       *result,
+                                              GError            **error);
+
+        void      (* renew_identity)     (GsdIdentityManager   *identity_manager,
+                                          GsdIdentity          *identity,
+                                          GCancellable        *cancellable,
+                                          GAsyncReadyCallback  callback,
+                                          gpointer             user_data);
+        void      (* renew_identity_finish)  (GsdIdentityManager  *identity_manager,
+                                              GAsyncResult       *result,
+                                              GError            **error);
+
+        void      (* sign_identity_out)  (GsdIdentityManager   *identity_manager,
+                                          GsdIdentity          *identity,
+                                          GCancellable        *cancellable,
+                                          GAsyncReadyCallback  callback,
+                                          gpointer             user_data);
+        void      (* sign_identity_out_finish)  (GsdIdentityManager  *identity_manager,
+                                                 GAsyncResult       *result,
+                                                 GError            **error);
+
+        char  *   (* name_identity)      (GsdIdentityManager *identity_manager,
+                                          GsdIdentity        *identity);
+};
+
+enum _GsdIdentityManagerError {
+        GSD_IDENTITY_MANAGER_ERROR_INITIALIZING,
+        GSD_IDENTITY_MANAGER_ERROR_MONITORING,
+        GSD_IDENTITY_MANAGER_ERROR_SIGNING_OUT
+};
+
+GType      gsd_identity_manager_get_type         (void);
+GQuark     gsd_identity_manager_error_quark      (void);
+
+void       gsd_identity_manager_list_identities  (GsdIdentityManager   *identity_manager,
+                                                  GCancellable         *cancellable,
+                                                  GAsyncReadyCallback   callback,
+                                                  gpointer              user_data);
+GList *    gsd_identity_manager_list_identities_finish  (GsdIdentityManager  *identity_manager,
+                                                         GAsyncResult        *result,
+                                                         GError             **error);
+
+void       gsd_identity_manager_sign_identity_out    (GsdIdentityManager   *identity_manager,
+                                                      GsdIdentity          *identity,
+                                                      GCancellable         *cancellable,
+                                                      GAsyncReadyCallback   callback,
+                                                      gpointer              user_data);
+void       gsd_identity_manager_sign_identity_out_finish (GsdIdentityManager *identity_manager,
+                                                          GAsyncResult       *result,
+                                                          GError            **error);
+
+void       gsd_identity_manager_renew_identity (GsdIdentityManager   *identity_manager,
+                                                GsdIdentity          *identity,
+                                                GCancellable         *cancellable,
+                                                GAsyncReadyCallback   callback,
+                                                gpointer              user_data);
+void       gsd_identity_manager_renew_identity_finish (GsdIdentityManager *identity_manager,
+                                                       GAsyncResult       *result,
+                                                       GError            **error);
+
+char      *gsd_identity_manager_name_identity (GsdIdentityManager *identity_manager,
+                                               GsdIdentity        *identity);
+
+G_END_DECLS
+
+#endif /* __GSD_IDENTITY_MANAGER_H__ */
diff --git a/plugins/identity/gsd-identity-plugin.c b/plugins/identity/gsd-identity-plugin.c
new file mode 100644
index 0000000..64c2917
--- /dev/null
+++ b/plugins/identity/gsd-identity-plugin.c
@@ -0,0 +1,186 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*-
+ *
+ * Copyright (C) 2012 Red Hat, Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2, or (at your option)
+ * any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ *
+ */
+
+#include "config.h"
+
+#include <glib/gi18n-lib.h>
+#include <gmodule.h>
+
+#include <glib.h>
+#include <glib-object.h>
+#include <gio/gio.h>
+
+#include <libnotify/notify.h>
+
+#include "gnome-settings-plugin.h"
+#include "gsd-identity-plugin.h"
+#include "gsd-identity-manager.h"
+#include "gsd-kerberos-identity-manager.h"
+
+struct GsdIdentityPluginPrivate {
+        GsdIdentityManager *identity_manager;
+};
+
+#define GSD_IDENTITY_PLUGIN_GET_PRIVATE(object) (G_TYPE_INSTANCE_GET_PRIVATE ((object), GSD_TYPE_IDENTITY_PLUGIN, GsdIdentityPluginPrivate))
+
+GNOME_SETTINGS_PLUGIN_REGISTER (GsdIdentityPlugin, gsd_identity_plugin);
+
+static void
+gsd_identity_plugin_init (GsdIdentityPlugin *self)
+{
+        self->priv = GSD_IDENTITY_PLUGIN_GET_PRIVATE (self);
+
+        g_debug ("GsdIdentityPlugin initializing");
+}
+
+static void
+gsd_identity_plugin_finalize (GObject *object)
+{
+        GsdIdentityPlugin *self;
+
+        g_return_if_fail (object != NULL);
+        g_return_if_fail (GSD_IS_IDENTITY_PLUGIN (object));
+
+        g_debug ("GsdIdentityPlugin: finalizing");
+
+        self = GSD_IDENTITY_PLUGIN (object);
+
+        g_return_if_fail (self->priv != NULL);
+
+        g_clear_object (&self->priv->identity_manager);
+
+        G_OBJECT_CLASS (gsd_identity_plugin_parent_class)->finalize (object);
+}
+
+static void
+on_identity_renewed (GsdIdentityManager  *manager,
+                     GAsyncResult        *result,
+                     GnomeSettingsPlugin *self)
+{
+        GError *error;
+
+        error = NULL;
+        gsd_identity_manager_renew_identity_finish (manager,
+                                                    result,
+                                                    &error);
+
+        if (error != NULL) {
+                g_debug ("GsdIdentityPlugin: could not renew identity: %s",
+                         error->message);
+                g_error_free (error);
+                return;
+        }
+
+        g_debug ("GsdIdentityPlugin: identity renewed");
+}
+
+static void
+on_identity_needs_renewal (GsdIdentityManager *identity_manager,
+                           GsdIdentity        *identity,
+                           GsdIdentityPlugin  *self)
+{
+        g_debug ("GsdIdentityPlugin: identity needs renewal");
+        gsd_identity_manager_renew_identity (GSD_IDENTITY_MANAGER (self->priv->identity_manager),
+                                             identity,
+                                             NULL,
+                                             (GAsyncReadyCallback)
+                                             on_identity_renewed,
+                                             self);
+}
+
+static void
+on_identity_expired (GsdIdentityManager *identity_manager,
+                     GsdIdentity        *identity,
+                     GsdIdentityPlugin  *self)
+{
+        NotifyNotification *notification;
+        g_debug ("GsdIdentityPlugin: identity expired");
+
+        notification = notify_notification_new (_("Signed out"),
+                                                _("The network realm %s is now inaccessible because its access expired."),
+                                                "dialog-password-symbolic");
+
+        notify_notification_set_app_name (notification, _("Network Realm"));
+
+        g_signal_connect (notification,
+                          "closed",
+                          G_CALLBACK (g_object_unref),
+                          NULL);
+
+        notify_notification_show (notification, NULL);
+}
+
+static void
+impl_activate (GnomeSettingsPlugin *plugin)
+{
+        GsdIdentityPlugin *self = GSD_IDENTITY_PLUGIN (plugin);
+
+        if (self->priv->identity_manager != NULL) {
+                g_debug ("GsdIdentityPlugin: Not activating identity plugin, because it's "
+                         "already active");
+                return;
+        }
+
+        g_debug ("GsdIdentityPlugin: Activating identity plugin");
+        self->priv->identity_manager = gsd_kerberos_identity_manager_new ();
+        g_signal_connect (G_OBJECT (self->priv->identity_manager),
+                          "identity-needs-renewal",
+                          G_CALLBACK (on_identity_needs_renewal),
+                          self);
+        g_signal_connect (G_OBJECT (self->priv->identity_manager),
+                          "identity-expired",
+                          G_CALLBACK (on_identity_expired),
+                          self);
+}
+
+static void
+impl_deactivate (GnomeSettingsPlugin *plugin)
+{
+        GsdIdentityPlugin *self = GSD_IDENTITY_PLUGIN (plugin);
+
+        if (self->priv->identity_manager == NULL) {
+                g_debug ("GsdIdentityPlugin: Not deactivating identity plugin, "
+                         "because it's already inactive");
+                return;
+        }
+
+        g_debug ("GsdIdentityPlugin: Deactivating identity plugin");
+        g_signal_handlers_disconnect_by_func (self, on_identity_needs_renewal, self);
+        g_clear_object (&self->priv->identity_manager);
+}
+
+static void
+gsd_identity_plugin_class_init (GsdIdentityPluginClass *klass)
+{
+        GObjectClass *object_class = G_OBJECT_CLASS (klass);
+        GnomeSettingsPluginClass *plugin_class = GNOME_SETTINGS_PLUGIN_CLASS (klass);
+
+        object_class->finalize = gsd_identity_plugin_finalize;
+
+        plugin_class->activate = impl_activate;
+        plugin_class->deactivate = impl_deactivate;
+
+        g_type_class_add_private (klass, sizeof (GsdIdentityPluginPrivate));
+}
+
+static void
+gsd_identity_plugin_class_finalize (GsdIdentityPluginClass *klass)
+{
+}
diff --git a/plugins/identity/gsd-identity-plugin.h b/plugins/identity/gsd-identity-plugin.h
new file mode 100644
index 0000000..ddfd9d4
--- /dev/null
+++ b/plugins/identity/gsd-identity-plugin.h
@@ -0,0 +1,59 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*-
+ *
+ * Copyright (C) 2012 Red Hat, Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2, or (at your option)
+ * any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ *
+ */
+
+#ifndef __GSD_IDENTITY_PLUGIN_H__
+#define __GSD_IDENTITY_PLUGIN_H__
+
+#include <glib.h>
+#include <glib-object.h>
+#include <gmodule.h>
+
+#include "gnome-settings-plugin.h"
+
+G_BEGIN_DECLS
+
+#define GSD_TYPE_IDENTITY_PLUGIN                (gsd_identity_plugin_get_type ())
+#define GSD_IDENTITY_PLUGIN(o)                  (G_TYPE_CHECK_INSTANCE_CAST ((o), GSD_TYPE_IDENTITY_PLUGIN, GsdIdentityPlugin))
+#define GSD_IDENTITY_PLUGIN_CLASS(k)            (G_TYPE_CHECK_CLASS_CAST ((k), GSD_TYPE_IDENTITY_PLUGIN, GsdIdentityPluginClass))
+#define GSD_IS_IDENTITY_PLUGIN(o)               (G_TYPE_CHECK_INSTANCE_TYPE ((o), GSD_TYPE_IDENTITY_PLUGIN))
+#define GSD_IS_IDENTITY_PLUGIN_CLASS(k)         (G_TYPE_CHECK_CLASS_TYPE ((k), GSD_TYPE_IDENTITY_PLUGIN))
+#define GSD_IDENTITY_PLUGIN_GET_CLASS(o)        (G_TYPE_INSTANCE_GET_CLASS ((o), GSD_TYPE_IDENTITY_PLUGIN, GsdIdentityPluginClass))
+
+typedef struct GsdIdentityPluginPrivate GsdIdentityPluginPrivate;
+
+typedef struct
+{
+        GnomeSettingsPlugin parent;
+        GsdIdentityPluginPrivate *priv;
+} GsdIdentityPlugin;
+
+typedef struct
+{
+        GnomeSettingsPluginClass parent_class;
+} GsdIdentityPluginClass;
+
+GType gsd_identity_plugin_get_type (void) G_GNUC_CONST;
+
+/* All the plugins must implement this function */
+G_MODULE_EXPORT GType register_gnome_settings_plugin (GTypeModule *module);
+
+G_END_DECLS
+
+#endif /* __GSD_IDENTITY_PLUGIN_H__ */
diff --git a/plugins/identity/gsd-identity.c b/plugins/identity/gsd-identity.c
new file mode 100644
index 0000000..2a03d37
--- /dev/null
+++ b/plugins/identity/gsd-identity.c
@@ -0,0 +1,57 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*-
+ *
+ * Copyright (C) 2012 Red Hat, Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2, or (at your option)
+ * any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ */
+
+#include "config.h"
+
+#include <glib-object.h>
+#include <glib/gi18n.h>
+
+#include "gsd-identity.h"
+
+G_DEFINE_INTERFACE (GsdIdentity, gsd_identity, G_TYPE_OBJECT);
+
+static void
+gsd_identity_default_init (GsdIdentityInterface *interface)
+{
+}
+
+GQuark
+gsd_identity_error_quark (void)
+{
+        static GQuark error_quark = 0;
+
+        if (error_quark == 0) {
+                error_quark = g_quark_from_static_string ("gsd-identity-error");
+        }
+
+        return error_quark;
+}
+
+const char *
+gsd_identity_get_identifier (GsdIdentity *self)
+{
+        return GSD_IDENTITY_GET_IFACE (self)->get_identifier (self);
+}
+
+gboolean
+gsd_identity_is_signed_in (GsdIdentity *self)
+{
+        return GSD_IDENTITY_GET_IFACE (self)->is_signed_in (self);
+}
diff --git a/plugins/identity/gsd-identity.h b/plugins/identity/gsd-identity.h
new file mode 100644
index 0000000..9b925b8
--- /dev/null
+++ b/plugins/identity/gsd-identity.h
@@ -0,0 +1,64 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*-
+ *
+ * Copyright (C) 2012 Red Hat, Inc.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Authors: Ray Strode <rstrode redhat com>
+ */
+
+#ifndef __GSD_IDENTITY_H__
+#define __GSD_IDENTITY_H__
+
+#include <glib.h>
+#include <glib-object.h>
+
+G_BEGIN_DECLS
+
+#define GSD_TYPE_IDENTITY             (gsd_identity_get_type ())
+#define GSD_IDENTITY(obj)             (G_TYPE_CHECK_INSTANCE_CAST ((obj), GSD_TYPE_IDENTITY, GsdIdentity))
+#define GSD_IDENTITY_CLASS(klass)     (G_TYPE_CHECK_CLASS_CAST ((klass), GSD_TYPE_IDENTITY, GsdIdentityInterface))
+#define GSD_IS_IDENTITY(obj)          (G_TYPE_CHECK_INSTANCE_TYPE ((obj), GSD_TYPE_IDENTITY))
+#define GSD_IDENTITY_GET_IFACE(obj)   (G_TYPE_INSTANCE_GET_INTERFACE((obj), GSD_TYPE_IDENTITY, GsdIdentityInterface))
+#define GSD_IDENTITY_ERROR            (gsd_identity_error_quark ())
+
+typedef struct _GsdIdentity          GsdIdentity;
+typedef struct _GsdIdentityInterface GsdIdentityInterface;
+typedef enum   _GsdIdentityError     GsdIdentityError;
+
+struct _GsdIdentityInterface
+{
+        GTypeInterface base_interface;
+
+        const char * (* get_identifier)  (GsdIdentity *identity);
+        gboolean     (* is_signed_in)    (GsdIdentity *identity);
+};
+
+enum _GsdIdentityError {
+        GSD_IDENTITY_ERROR_VERIFYING,
+        GSD_IDENTITY_ERROR_RENEWING,
+        GSD_IDENTITY_ERROR_ERASING
+};
+
+GType       gsd_identity_get_type         (void);
+GQuark      gsd_identity_error_quark      (void);
+
+const char *gsd_identity_get_identifier   (GsdIdentity *identity);
+gboolean    gsd_identity_is_signed_in     (GsdIdentity *identity);
+
+G_END_DECLS
+
+#endif /* __GSD_IDENTITY_H__ */
diff --git a/plugins/identity/gsd-kerberos-identity-manager.c b/plugins/identity/gsd-kerberos-identity-manager.c
new file mode 100644
index 0000000..53fa8b5
--- /dev/null
+++ b/plugins/identity/gsd-kerberos-identity-manager.c
@@ -0,0 +1,1329 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*-
+ *
+ * Copyright (C) 2012 Red Hat, Inc.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Authors: Ray Strode
+ */
+
+#include "config.h"
+
+#include "gsd-kerberos-identity-manager.h"
+#include "gsd-identity-manager.h"
+#include "gsd-identity-manager-private.h"
+#include "gsd-kerberos-identity.h"
+
+#include <string.h>
+
+#include <glib/gi18n.h>
+#include <gio/gio.h>
+
+#include <krb5.h>
+
+struct _GsdKerberosIdentityManagerPrivate
+{
+        GHashTable      *identities;
+        GHashTable      *expired_identities;
+        GHashTable      *identities_by_realm;
+        GAsyncQueue     *pending_operations;
+        GCancellable    *scheduler_cancellable;
+
+        krb5_context     kerberos_context;
+        GFileMonitor    *credentials_cache_monitor;
+        gulong           credentials_cache_changed_signal_id;
+
+        GMutex           scheduler_job_lock;
+        GCond            scheduler_job_unblocked;
+        gboolean         is_blocking_scheduler_job;
+
+        volatile int     pending_refresh_count;
+};
+
+typedef enum
+{
+        OPERATION_TYPE_REFRESH,
+        OPERATION_TYPE_LIST,
+        OPERATION_TYPE_RENEW,
+        OPERATION_TYPE_SIGN_OUT,
+        OPERATION_TYPE_STOP_JOB
+} OperationType;
+
+typedef struct
+{
+        GCancellable               *cancellable;
+        GsdKerberosIdentityManager *manager;
+        OperationType               type;
+        GSimpleAsyncResult         *result;
+        GIOSchedulerJob            *job;
+        GsdIdentity                *identity;
+} Operation;
+
+typedef struct
+{
+        GsdKerberosIdentityManager *manager;
+        GsdIdentity                *identity;
+} IdentitySignalWork;
+
+static void identity_manager_interface_init (GsdIdentityManagerInterface *interface);
+static void initable_interface_init (GInitableIface *interface);
+
+static void on_identity_expired (GsdIdentity                *identity,
+                                 GsdKerberosIdentityManager *self);
+
+void gsd_kerberos_identity_manager_start_test (GsdKerberosIdentityManager  *manager,
+                                               GError                     **error);
+void gsd_kerberos_identity_manager_stop_test (GsdKerberosIdentityManager  *manager,
+                                              GError                     **error);
+
+G_DEFINE_TYPE_WITH_CODE (GsdKerberosIdentityManager,
+                         gsd_kerberos_identity_manager,
+                         G_TYPE_OBJECT,
+                         G_IMPLEMENT_INTERFACE (GSD_TYPE_IDENTITY_MANAGER,
+                                                identity_manager_interface_init)
+                         G_IMPLEMENT_INTERFACE (G_TYPE_INITABLE,
+                                                initable_interface_init));
+
+static Operation *
+operation_new (GsdKerberosIdentityManager *self,
+               GCancellable              *cancellable,
+               OperationType              type,
+               GSimpleAsyncResult        *result)
+{
+        Operation *operation;
+
+        operation = g_slice_new (Operation);
+
+        operation->manager = self;
+        operation->type = type;
+
+        if (cancellable == NULL) {
+                cancellable = g_cancellable_new ();
+        } else {
+                g_object_ref (cancellable);
+        }
+        operation->cancellable = cancellable;
+
+        if (result != NULL) {
+                g_object_ref (result);
+        }
+        operation->result = result;
+
+        operation->identity = NULL;
+
+        return operation;
+}
+
+static void
+operation_free (Operation *operation)
+{
+       g_object_unref (operation->cancellable);
+
+       if (operation->identity != NULL) {
+               g_object_unref (operation->identity);
+       }
+
+       if (operation->result != NULL) {
+               g_object_unref (operation->result);
+       }
+
+       g_slice_free (Operation, operation);
+}
+
+static void
+schedule_refresh (GsdKerberosIdentityManager *self)
+{
+        Operation *operation;
+
+        g_atomic_int_inc (&self->priv->pending_refresh_count);
+
+        operation = operation_new (self, NULL, OPERATION_TYPE_REFRESH, NULL);
+        g_async_queue_push (self->priv->pending_operations, operation);
+}
+
+static IdentitySignalWork *
+identity_signal_work_new (GsdKerberosIdentityManager *self,
+                          GsdIdentity                *identity)
+{
+        IdentitySignalWork *work;
+
+        work = g_slice_new (IdentitySignalWork);
+        work->manager = self;
+        work->identity = g_object_ref (identity);
+
+        return work;
+}
+
+static void
+identity_signal_work_free (IdentitySignalWork *work)
+{
+        g_object_unref (work->identity);
+        g_slice_free (IdentitySignalWork, work);
+}
+
+static void
+stop_watching_for_identity_expiration (GsdKerberosIdentityManager *self,
+                                       GsdIdentity                *identity)
+{
+        g_signal_handlers_disconnect_by_func (G_OBJECT (identity),
+                                              G_CALLBACK (on_identity_expired),
+                                              self);
+}
+
+static void
+on_identity_expired (GsdIdentity                *identity,
+                     GsdKerberosIdentityManager *self)
+{
+        const char *identifier;
+
+        stop_watching_for_identity_expiration (self, identity);
+
+        identifier = gsd_identity_get_identifier (identity);
+        g_hash_table_replace (self->priv->expired_identities,
+                              g_strdup (identifier),
+                              identity);
+        _gsd_identity_manager_emit_identity_expired (GSD_IDENTITY_MANAGER (self), identity);
+}
+
+static void
+on_identity_unexpired (GsdIdentity                *identity,
+                       GsdKerberosIdentityManager *self)
+{
+        g_debug ("GsdKerberosIdentityManager: identity unexpired");
+        /* If an identity is now unexpired, that means some sort of weird
+         * clock skew happened and we should just do a full refresh, since it's
+         * probably affected more than one identity
+         */
+        schedule_refresh (self);
+}
+
+static void
+on_identity_needs_renewal (GsdIdentity                *identity,
+                           GsdKerberosIdentityManager *self)
+{
+        g_debug ("GsdKerberosIdentityManager: identity needs renewal");
+        _gsd_identity_manager_emit_identity_needs_renewal (GSD_IDENTITY_MANAGER (self), identity);
+}
+
+static void
+on_identity_needs_refresh (GsdIdentity                *identity,
+                           GsdKerberosIdentityManager *self)
+{
+        g_debug ("GsdKerberosIdentityManager: needs refresh");
+        schedule_refresh (self);
+}
+
+static void
+watch_for_identity_expiration (GsdKerberosIdentityManager *self,
+                               GsdIdentity                *identity)
+{
+        g_signal_handlers_disconnect_by_func (G_OBJECT (identity),
+                                              G_CALLBACK (on_identity_expired),
+                                              self);
+        g_signal_connect (G_OBJECT (identity),
+                          "expired",
+                          G_CALLBACK (on_identity_expired),
+                          self);
+
+        g_signal_handlers_disconnect_by_func (G_OBJECT (identity),
+                                              G_CALLBACK (on_identity_unexpired),
+                                              self);
+        g_signal_connect (G_OBJECT (identity),
+                          "unexpired",
+                          G_CALLBACK (on_identity_unexpired),
+                          self);
+
+        g_signal_handlers_disconnect_by_func (G_OBJECT (identity),
+                                              G_CALLBACK (on_identity_needs_renewal),
+                                              self);
+        g_signal_connect (G_OBJECT (identity),
+                          "needs-renewal",
+                          G_CALLBACK (on_identity_needs_renewal),
+                          self);
+
+        g_signal_handlers_disconnect_by_func (G_OBJECT (identity),
+                                              G_CALLBACK (on_identity_needs_refresh),
+                                              self);
+        g_signal_connect (G_OBJECT (identity),
+                          "needs-refresh",
+                          G_CALLBACK (on_identity_needs_refresh),
+                          self);
+}
+
+static void
+do_identity_signal_added_work (IdentitySignalWork *work)
+{
+        GsdKerberosIdentityManager *self = work->manager;
+        GsdIdentity *identity = work->identity;
+
+        watch_for_identity_expiration (self, identity);
+        _gsd_identity_manager_emit_identity_added (GSD_IDENTITY_MANAGER (self), identity);
+}
+
+static void
+do_identity_signal_removed_work (IdentitySignalWork *work)
+{
+        GsdKerberosIdentityManager *self = work->manager;
+        GsdIdentity *identity = work->identity;
+
+        stop_watching_for_identity_expiration (self, identity);
+        _gsd_identity_manager_emit_identity_removed (GSD_IDENTITY_MANAGER (self), identity);
+}
+
+static void
+do_identity_signal_renamed_work (IdentitySignalWork *work)
+{
+        GsdKerberosIdentityManager *self = work->manager;
+        GsdIdentity *identity = work->identity;
+
+        _gsd_identity_manager_emit_identity_renamed (GSD_IDENTITY_MANAGER (self), identity);
+}
+
+static void
+do_identity_signal_refreshed_work (IdentitySignalWork *work)
+{
+        GsdKerberosIdentityManager *self = work->manager;
+        GsdIdentity *identity = work->identity;
+
+        watch_for_identity_expiration (self, identity);
+        _gsd_identity_manager_emit_identity_refreshed (GSD_IDENTITY_MANAGER (self), identity);
+}
+
+static void
+remove_identity (GsdKerberosIdentityManager *self,
+                 Operation                  *operation,
+                 GsdIdentity                *identity)
+{
+
+        IdentitySignalWork *work;
+        const char *identifier;
+        char *name;
+        GList *other_identities = NULL;
+
+        identifier = gsd_identity_get_identifier (identity);
+        name = gsd_kerberos_identity_get_realm_name (GSD_KERBEROS_IDENTITY (identity));
+
+        if (name != NULL) {
+                other_identities = g_hash_table_lookup (self->priv->identities_by_realm,
+                                                        name);
+                g_hash_table_remove (self->priv->identities_by_realm, name);
+
+                other_identities = g_list_remove (other_identities, identity);
+        }
+
+
+        if (other_identities != NULL) {
+                g_hash_table_replace (self->priv->identities_by_realm,
+                                      g_strdup (name),
+                                      other_identities);
+        }
+        g_free (name);
+
+        work = identity_signal_work_new (self, identity);
+        g_hash_table_remove (self->priv->expired_identities,
+                             identifier);
+        g_hash_table_remove (self->priv->identities,
+                             identifier);
+
+        g_io_scheduler_job_send_to_mainloop (operation->job,
+                                             (GSourceFunc)
+                                             do_identity_signal_removed_work,
+                                             work,
+                                             (GDestroyNotify)
+                                             identity_signal_work_free);
+        /* If there's only one identity for this realm now, then we can
+         * rename that identity to just the realm name
+         */
+        if (other_identities != NULL && other_identities->next == NULL) {
+                GsdIdentity *other_identity = other_identities->data;
+
+                work = identity_signal_work_new (self, other_identity);
+
+                g_io_scheduler_job_send_to_mainloop (operation->job,
+                                                     (GSourceFunc)
+                                                     do_identity_signal_renamed_work,
+                                                     work,
+                                                     (GDestroyNotify)
+                                                     identity_signal_work_free);
+        }
+}
+
+static void
+drop_stale_identities (GsdKerberosIdentityManager *self,
+                       Operation                  *operation,
+                       GHashTable                 *known_identities)
+{
+        GList *stale_identity_ids;
+        GList *node;
+
+        stale_identity_ids = g_hash_table_get_keys (self->priv->identities);
+
+        node = stale_identity_ids;
+        while (node != NULL) {
+                GsdIdentity *identity;
+                const char *identifier = node->data;
+
+                identity = g_hash_table_lookup (known_identities, identifier);
+                if (identity == NULL) {
+                        identity = g_hash_table_lookup (self->priv->identities,
+                                                        identifier);
+
+                        if (identity != NULL) {
+                                remove_identity (self, operation, identity);
+                        }
+                }
+                node = node->next;
+        }
+        g_list_free (stale_identity_ids);
+}
+
+static void
+update_identity (GsdKerberosIdentityManager *self,
+                 Operation                  *operation,
+                 GsdIdentity                *identity,
+                 GsdIdentity                *new_identity)
+{
+
+        gboolean is_expired;
+
+        is_expired = g_hash_table_remove (self->priv->expired_identities,
+                                          gsd_identity_get_identifier (identity));
+
+        gsd_kerberos_identity_update (GSD_KERBEROS_IDENTITY (identity),
+                                      GSD_KERBEROS_IDENTITY (new_identity));
+
+        if (is_expired) {
+                IdentitySignalWork *work;
+
+                /* if it was expired before, send out a refresh signal */
+                work = identity_signal_work_new (self, identity);
+                g_io_scheduler_job_send_to_mainloop (operation->job,
+                                                     (GSourceFunc)
+                                                     do_identity_signal_refreshed_work,
+                                                     work,
+                                                     (GDestroyNotify)
+                                                     identity_signal_work_free);
+        }
+}
+
+static void
+add_identity (GsdKerberosIdentityManager *self,
+              Operation                 *operation,
+              GsdIdentity                *identity,
+              const char                *identifier)
+{
+        IdentitySignalWork *work;
+
+        g_hash_table_replace (self->priv->identities,
+                              g_strdup (identifier),
+                              g_object_ref (identity));
+
+        if (!gsd_identity_is_signed_in (identity)) {
+                g_hash_table_replace (self->priv->expired_identities,
+                                      g_strdup (identifier),
+                                      identity);
+        }
+
+        work = identity_signal_work_new (self, identity);
+        g_io_scheduler_job_send_to_mainloop (operation->job,
+                                             (GSourceFunc)
+                                             do_identity_signal_added_work,
+                                             work,
+                                             (GDestroyNotify)
+                                             identity_signal_work_free);
+}
+
+static void
+refresh_identity (GsdKerberosIdentityManager *self,
+                  Operation                  *operation,
+                  GHashTable                 *refreshed_identities,
+                  GsdIdentity                *identity)
+{
+        const char *identifier;
+        GsdIdentity *old_identity;
+
+        identifier = gsd_identity_get_identifier (identity);
+
+        if (identifier == NULL) {
+                return;
+        }
+        old_identity = g_hash_table_lookup (self->priv->identities, identifier);
+
+        if (old_identity != NULL) {
+                g_debug ("GsdKerberosIdentityManager: refreshing identity '%s'", identifier);
+                update_identity (self, operation, old_identity, identity);
+
+                /* Reuse the old identity, so any object data set up on it doesn't
+                 * disappear spurriously
+                 */
+                identifier = gsd_identity_get_identifier (old_identity);
+                identity = old_identity;
+        } else {
+                g_debug ("GsdKerberosIdentityManager: adding new identity '%s'", identifier);
+                add_identity (self, operation, identity, identifier);
+        }
+
+        /* Track refreshed identities so we can emit removals when we're done fully
+         * enumerating the collection of credential caches
+         */
+        g_hash_table_replace (refreshed_identities,
+                              g_strdup (identifier),
+                              g_object_ref (identity));
+}
+
+static gboolean
+refresh_identities (GsdKerberosIdentityManager *self,
+                    Operation                  *operation)
+{
+        krb5_error_code error_code;
+        krb5_ccache cache;
+        krb5_cccol_cursor cursor;
+        const char *error_message;
+        GHashTable *refreshed_identities;
+
+        /* If we have more refreshes queued up, don't bother doing this one
+         */
+        if (!g_atomic_int_dec_and_test (&self->priv->pending_refresh_count)) {
+                return FALSE;
+        }
+
+        g_debug ("GsdKerberosIdentityManager: Refreshing identities");
+        refreshed_identities = g_hash_table_new_full (g_str_hash,
+                                                      g_str_equal,
+                                                      (GDestroyNotify)
+                                                      g_free,
+                                                      (GDestroyNotify)
+                                                      g_object_unref);
+        error_code = krb5_cccol_cursor_new (self->priv->kerberos_context, &cursor);
+
+        if (error_code != 0) {
+                error_message = krb5_get_error_message (self->priv->kerberos_context, error_code);
+                g_debug ("GsdKerberosIdentityManager:         Error looking up available credential caches: %s", error_message);
+                krb5_free_error_message (self->priv->kerberos_context, error_message);
+                goto done;
+        }
+
+        error_code = krb5_cccol_cursor_next (self->priv->kerberos_context,
+                                             cursor,
+                                             &cache);
+
+        while (error_code == 0 && cache != NULL) {
+                GsdIdentity *identity;
+
+                identity = gsd_kerberos_identity_new (self->priv->kerberos_context,
+                                                      cache);
+
+                if (identity != NULL) {
+                        refresh_identity (self, operation, refreshed_identities, identity);
+                }
+
+                krb5_cc_close (self->priv->kerberos_context, cache);
+                error_code = krb5_cccol_cursor_next (self->priv->kerberos_context,
+                                                     cursor,
+                                                     &cache);
+        }
+
+        if (error_code != 0) {
+                error_message = krb5_get_error_message (self->priv->kerberos_context, error_code);
+                g_debug ("GsdKerberosIdentityManager:         Error iterating over available credential caches: %s", error_message);
+                krb5_free_error_message (self->priv->kerberos_context, error_message);
+        }
+
+        krb5_cccol_cursor_free (self->priv->kerberos_context, &cursor);
+done:
+        drop_stale_identities (self, operation, refreshed_identities);
+        g_hash_table_unref (refreshed_identities);
+
+        return TRUE;
+}
+
+static int
+identity_sort_func (GsdIdentity *a,
+                    GsdIdentity *b)
+{
+        return g_strcmp0 (gsd_identity_get_identifier (a),
+                          gsd_identity_get_identifier (b));
+}
+
+static void
+free_identity_list (GList *list)
+{
+        g_list_foreach (list, (GFunc) g_object_unref, NULL);
+        g_list_free (list);
+}
+
+static void
+list_identities (GsdKerberosIdentityManager *self,
+                 Operation                  *operation)
+{
+        GList *identities;
+
+        g_debug ("GsdKerberosIdentityManager: Listing identities");
+        identities = g_hash_table_get_values (self->priv->identities);
+
+        identities = g_list_sort (identities,
+                                  (GCompareFunc)
+                                  identity_sort_func);
+
+        g_list_foreach (identities, (GFunc) g_object_ref, NULL);
+        g_simple_async_result_set_op_res_gpointer (operation->result,
+                                                   identities,
+                                                   (GDestroyNotify)
+                                                   free_identity_list);
+}
+
+static void
+renew_identity (GsdKerberosIdentityManager *self,
+                Operation                  *operation)
+{
+        GError *error;
+        gboolean was_renewed;
+        char *identity_name;
+
+        identity_name = gsd_kerberos_identity_get_principal_name (GSD_KERBEROS_IDENTITY (operation->identity));
+        g_debug ("GsdKerberosIdentityManager: renewing identity %s", identity_name);
+        g_free (identity_name);
+
+        error = NULL;
+        was_renewed = gsd_kerberos_identity_renew (GSD_KERBEROS_IDENTITY (operation->identity),
+                                                   &error);
+
+        if (!was_renewed) {
+                g_debug ("GsdKerberosIdentityManager: could not renew identity: %s",
+                         error->message);
+
+                g_simple_async_result_set_from_error (operation->result,
+                                                      error);
+        }
+
+        g_simple_async_result_set_op_res_gboolean (operation->result,
+                                                   was_renewed);
+}
+
+static void
+sign_out_identity (GsdKerberosIdentityManager *self,
+                   Operation                  *operation)
+{
+        GError *error;
+        gboolean was_signed_out;
+        char *identity_name;
+
+        identity_name = gsd_kerberos_identity_get_principal_name (GSD_KERBEROS_IDENTITY (operation->identity));
+        g_debug ("GsdKerberosIdentityManager: signing out identity %s", identity_name);
+        g_free (identity_name);
+
+        error = NULL;
+        was_signed_out = gsd_kerberos_identity_erase (GSD_KERBEROS_IDENTITY (operation->identity),
+                                                      &error);
+
+        if (!was_signed_out) {
+                g_debug ("GsdKerberosIdentityManager: could not sign out identity: %s",
+                         error->message);
+                g_error_free (error);
+        }
+}
+
+static void
+block_scheduler_job (GsdKerberosIdentityManager *self)
+{
+        g_mutex_lock (&self->priv->scheduler_job_lock);
+        while (self->priv->is_blocking_scheduler_job) {
+                g_cond_wait (&self->priv->scheduler_job_unblocked, &self->priv->scheduler_job_lock);
+        }
+        self->priv->is_blocking_scheduler_job = TRUE;
+        g_mutex_unlock (&self->priv->scheduler_job_lock);
+}
+
+static void
+stop_blocking_scheduler_job (GsdKerberosIdentityManager *self)
+{
+        g_mutex_lock (&self->priv->scheduler_job_lock);
+        self->priv->is_blocking_scheduler_job = FALSE;
+        g_cond_signal (&self->priv->scheduler_job_unblocked);
+        g_mutex_unlock (&self->priv->scheduler_job_lock);
+}
+
+static void
+wait_for_scheduler_job_to_become_unblocked (GsdKerberosIdentityManager *self)
+{
+        g_mutex_lock (&self->priv->scheduler_job_lock);
+        while (self->priv->is_blocking_scheduler_job) {
+                g_cond_wait (&self->priv->scheduler_job_unblocked, &self->priv->scheduler_job_lock);
+        }
+        g_mutex_unlock (&self->priv->scheduler_job_lock);
+}
+
+static void
+on_job_cancelled (GCancellable               *cancellable,
+                  GsdKerberosIdentityManager *self)
+{
+        Operation *operation;
+        operation = operation_new (self,
+                                   cancellable,
+                                   OPERATION_TYPE_STOP_JOB,
+                                   NULL);
+        g_async_queue_push (self->priv->pending_operations, operation);
+
+        stop_blocking_scheduler_job (self);
+}
+
+static gboolean
+on_job_scheduled (GIOSchedulerJob            *job,
+                  GCancellable               *cancellable,
+                  GsdKerberosIdentityManager *self)
+{
+        GAsyncQueue *pending_operations;
+
+        g_assert (cancellable != NULL);
+
+        g_cancellable_connect (cancellable,
+                               G_CALLBACK (on_job_cancelled),
+                               self,
+                               NULL);
+
+        pending_operations = g_async_queue_ref (self->priv->pending_operations);
+        while (!g_cancellable_is_cancelled (cancellable)) {
+                Operation *operation;
+                gboolean   processed_operation;
+                GError    *error = NULL;
+
+                operation = g_async_queue_pop (pending_operations);
+
+                if (operation->result != NULL &&
+                    g_cancellable_set_error_if_cancelled (operation->cancellable, &error)) {
+                        g_simple_async_result_take_error (operation->result,
+                                                          error);
+                        g_simple_async_result_complete_in_idle (operation->result);
+                        g_object_unref (operation->result);
+                        operation->result = NULL;
+                        continue;
+                }
+
+                operation->job = job;
+
+                switch (operation->type) {
+                        case OPERATION_TYPE_STOP_JOB:
+                                /* do nothing, loop will exit next iteration since cancellable
+                                 * is cancelled
+                                 */
+                                g_assert (g_cancellable_is_cancelled (cancellable));
+                                break;
+                        case OPERATION_TYPE_REFRESH:
+                                processed_operation = refresh_identities (operation->manager, operation);
+                                break;
+                        case OPERATION_TYPE_LIST:
+                                list_identities (operation->manager, operation);
+                                processed_operation = TRUE;
+
+                                /* We want to block refreshes (and their associated "added"
+                                 * and "removed" signals) until the caller has had
+                                 * a chance to look at the batch of
+                                 * results we already processed
+                                 */
+                                g_assert (operation->result != NULL);
+
+                                g_debug ("GsdKerberosIdentityManager:         Blocking until identities list processed");
+                                block_scheduler_job (self);
+                                g_object_weak_ref (G_OBJECT (operation->result),
+                                                   (GWeakNotify)
+                                                   stop_blocking_scheduler_job,
+                                                   self);
+                                g_debug ("GsdKerberosIdentityManager:         Continuing");
+                                break;
+                        case OPERATION_TYPE_RENEW:
+                                renew_identity (operation->manager, operation);
+                                processed_operation = TRUE;
+                                break;
+                        case OPERATION_TYPE_SIGN_OUT:
+                                sign_out_identity (operation->manager, operation);
+                                processed_operation = TRUE;
+                                break;
+                }
+
+                operation->job = NULL;
+
+                if (operation->result != NULL) {
+                        g_simple_async_result_complete_in_idle (operation->result);
+                        g_object_unref (operation->result);
+                        operation->result = NULL;
+                }
+                operation_free (operation);
+
+                wait_for_scheduler_job_to_become_unblocked (self);
+
+                /* Don't bother saying "Waiting for next operation" if this operation
+                 * was a no-op, since the debug spew probably already says the message
+                 */
+                if (processed_operation) {
+                        g_debug ("GsdKerberosIdentityManager: Waiting for next operation");
+                }
+        }
+
+        g_async_queue_unref (pending_operations);
+
+        return FALSE;
+}
+
+static void
+gsd_kerberos_identity_manager_list_identities (GsdIdentityManager          *manager,
+                                               GCancellable               *cancellable,
+                                               GAsyncReadyCallback         callback,
+                                               gpointer                    user_data)
+{
+        GsdKerberosIdentityManager *self = GSD_KERBEROS_IDENTITY_MANAGER (manager);
+        GSimpleAsyncResult *result;
+        Operation *operation;
+
+        result = g_simple_async_result_new (G_OBJECT (self),
+                                            callback,
+                                            user_data,
+                                            gsd_kerberos_identity_manager_list_identities);
+
+        operation = operation_new (self,
+                                   cancellable,
+                                   OPERATION_TYPE_LIST,
+                                   result);
+        g_object_unref (result);
+
+        g_async_queue_push (self->priv->pending_operations, operation);
+}
+
+static GList *
+gsd_kerberos_identity_manager_list_identities_finish (GsdIdentityManager  *manager,
+                                                      GAsyncResult        *result,
+                                                      GError             **error)
+{
+        GList *identities;
+
+        if (g_simple_async_result_propagate_error (G_SIMPLE_ASYNC_RESULT (result),
+                                                   error)) {
+                return NULL;
+        }
+
+        identities = g_simple_async_result_get_op_res_gpointer (G_SIMPLE_ASYNC_RESULT (result));
+
+        return identities;
+
+}
+
+static void
+gsd_kerberos_identity_manager_renew_identity (GsdIdentityManager         *manager,
+                                              GsdIdentity                *identity,
+                                              GCancellable               *cancellable,
+                                              GAsyncReadyCallback         callback,
+                                              gpointer                    user_data)
+{
+        GsdKerberosIdentityManager *self = GSD_KERBEROS_IDENTITY_MANAGER (manager);
+        GSimpleAsyncResult *result;
+        Operation *operation;
+
+        result = g_simple_async_result_new (G_OBJECT (self),
+                                            callback,
+                                            user_data,
+                                            gsd_kerberos_identity_manager_renew_identity);
+        operation = operation_new (self,
+                                   cancellable,
+                                   OPERATION_TYPE_RENEW,
+                                   result);
+        g_object_unref (result);
+
+        operation->identity = g_object_ref (identity);
+
+        g_async_queue_push (self->priv->pending_operations, operation);
+}
+
+static void
+gsd_kerberos_identity_manager_renew_identity_finish (GsdIdentityManager  *self,
+                                                     GAsyncResult        *result,
+                                                     GError             **error)
+{
+        if (g_simple_async_result_propagate_error (G_SIMPLE_ASYNC_RESULT (result),
+                                                   error)) {
+                return;
+        }
+
+        return;
+}
+
+static void
+gsd_kerberos_identity_manager_sign_identity_out (GsdIdentityManager   *manager,
+                                                 GsdIdentity          *identity,
+                                                 GCancellable         *cancellable,
+                                                 GAsyncReadyCallback   callback,
+                                                 gpointer              user_data)
+{
+        GsdKerberosIdentityManager *self = GSD_KERBEROS_IDENTITY_MANAGER (manager);
+        GSimpleAsyncResult *result;
+        Operation *operation;
+
+        result = g_simple_async_result_new (G_OBJECT (self),
+                                            callback,
+                                            user_data,
+                                            gsd_kerberos_identity_manager_sign_identity_out);
+        operation = operation_new (self,
+                                   cancellable,
+                                   OPERATION_TYPE_SIGN_OUT,
+                                   result);
+        g_object_unref (result);
+
+        operation->identity = g_object_ref (identity);
+
+        g_async_queue_push (self->priv->pending_operations, operation);
+}
+
+static void
+gsd_kerberos_identity_manager_sign_identity_out_finish (GsdIdentityManager  *self,
+                                                        GAsyncResult        *result,
+                                                        GError             **error)
+{
+        if (g_simple_async_result_propagate_error (G_SIMPLE_ASYNC_RESULT (result),
+                                                   error)) {
+                return;
+        }
+
+        return;
+}
+
+static char *
+gsd_kerberos_identity_manager_name_identity (GsdIdentityManager *manager,
+                                             GsdIdentity        *identity)
+{
+        GsdKerberosIdentityManager *self = GSD_KERBEROS_IDENTITY_MANAGER (manager);
+        char *name;
+        GList *other_identities;
+        gboolean other_identity_needs_rename;
+
+        name = gsd_kerberos_identity_get_realm_name (GSD_KERBEROS_IDENTITY (identity));
+
+        if (name == NULL) {
+                return NULL;
+        }
+
+        other_identities = g_hash_table_lookup (self->priv->identities_by_realm,
+                                                name);
+
+        /* If there was already exactly one identity for this realm before,
+         * then it was going by just the realm name, so we need to rename it
+         * to use the full principle name
+         */
+        if (other_identities != NULL &&
+            other_identities->next == NULL &&
+            other_identities->data != identity) {
+                other_identity_needs_rename = TRUE;
+        }
+
+        other_identities = g_list_remove (other_identities, identity);
+        other_identities = g_list_prepend (other_identities, identity);
+
+        g_hash_table_replace (self->priv->identities_by_realm,
+                              g_strdup (name),
+                              other_identities);
+
+        if (other_identities->next != NULL) {
+                g_free (name);
+                name = gsd_kerberos_identity_get_principal_name (GSD_KERBEROS_IDENTITY (identity));
+                if (other_identity_needs_rename) {
+                        GsdIdentity *other_identity = other_identities->next->data;
+
+                        _gsd_identity_manager_emit_identity_renamed (GSD_IDENTITY_MANAGER (self),
+                                                                    other_identity);
+                }
+        }
+
+        return name;
+}
+
+static void
+identity_manager_interface_init (GsdIdentityManagerInterface *interface)
+{
+        interface->renew_identity = gsd_kerberos_identity_manager_renew_identity;
+        interface->renew_identity_finish = gsd_kerberos_identity_manager_renew_identity_finish;
+        interface->list_identities = gsd_kerberos_identity_manager_list_identities;
+        interface->list_identities_finish = gsd_kerberos_identity_manager_list_identities_finish;
+        interface->sign_identity_out = gsd_kerberos_identity_manager_sign_identity_out;
+        interface->sign_identity_out_finish = gsd_kerberos_identity_manager_sign_identity_out_finish;
+        interface->name_identity = gsd_kerberos_identity_manager_name_identity;
+}
+
+static void
+on_credentials_cache_changed (GFileMonitor               *monitor,
+                              GFile                      *file,
+                              GFile                      *other_file,
+                              GFileMonitorEvent          *event_type,
+                              GsdKerberosIdentityManager *self)
+{
+        schedule_refresh (self);
+}
+
+static gboolean
+monitor_credentials_cache (GsdKerberosIdentityManager  *self,
+                           GError                    **error)
+{
+        krb5_ccache default_cache;
+        const char *cache_type;
+        const char *cache_path;
+        GFile *file;
+        GFileMonitor *monitor;
+        krb5_error_code error_code;
+        GError *monitoring_error;
+
+        error_code = krb5_cc_default (self->priv->kerberos_context,
+                                      &default_cache);
+
+        if (error_code != 0) {
+                const char *error_message;
+                error_message = krb5_get_error_message (self->priv->kerberos_context, error_code);
+
+                g_set_error_literal (error,
+                                     GSD_IDENTITY_MANAGER_ERROR,
+                                     GSD_IDENTITY_MANAGER_ERROR_MONITORING,
+                                     error_message);
+                krb5_free_error_message (self->priv->kerberos_context, error_message);
+
+                return FALSE;
+        }
+
+        cache_type = krb5_cc_get_type (self->priv->kerberos_context,
+                                       default_cache);
+        g_assert (cache_type != NULL);
+
+        if (strcmp (cache_type, "FILE") != 0 &&
+            strcmp (cache_type, "DIR") != 0) {
+                g_set_error (error,
+                             GSD_IDENTITY_MANAGER_ERROR,
+                             GSD_IDENTITY_MANAGER_ERROR_MONITORING,
+                             "Only 'FILE' and 'DIR' credential cache types are really supported, not '%s'",
+                             cache_type);
+                return FALSE;
+        }
+
+        /* If we're using a FILE type credential cache, then the
+         * default cache file is the only cache we care about,
+         * and its path is what we want to monitor.
+         *
+         * If we're using a DIR type credential cache, then the default
+         * cache file is one of many possible cache files, all in the
+         * same directory.  We want to monitor that directory.
+         */
+        cache_path = krb5_cc_get_name (self->priv->kerberos_context,
+                                       default_cache);
+
+        /* The cache name might have a : in front of it.
+         * FIXME: figure out if that behavior is by design, or some
+         * odd bug.
+         */
+        if (cache_path[0] == ':') {
+                cache_path++;
+        }
+
+        file = g_file_new_for_path (cache_path);
+
+        monitoring_error = NULL;
+        if (strcmp (cache_type, "FILE") == 0) {
+                monitor = g_file_monitor_file (file,
+                                               G_FILE_MONITOR_NONE,
+                                               NULL,
+                                               &monitoring_error);
+        } else if (strcmp (cache_type, "DIR") == 0) {
+                GFile *directory;
+
+                directory = g_file_get_parent (file);
+                monitor = g_file_monitor_directory (directory,
+                                                    G_FILE_MONITOR_NONE,
+                                                    NULL,
+                                                    &monitoring_error);
+                g_object_unref (directory);
+
+        } else {
+                g_assert_not_reached ();
+        }
+        g_object_unref (file);
+
+        if (monitor == NULL) {
+                g_propagate_error (error, monitoring_error);
+                return FALSE;
+        }
+
+        self->priv->credentials_cache_changed_signal_id = g_signal_connect (G_OBJECT (monitor),
+                                                                            "changed",
+                                                                            G_CALLBACK (on_credentials_cache_changed),
+                                                                            self);
+        self->priv->credentials_cache_monitor = monitor;
+
+        return TRUE;
+}
+
+static void
+stop_watching_credentials_cache (GsdKerberosIdentityManager *self)
+{
+        if (!g_file_monitor_is_cancelled (self->priv->credentials_cache_monitor)) {
+                g_file_monitor_cancel (self->priv->credentials_cache_monitor);
+        }
+        g_object_unref (self->priv->credentials_cache_monitor);
+        self->priv->credentials_cache_monitor = NULL;
+}
+
+static gboolean
+gsd_kerberos_identity_manager_initable_init (GInitable     *initable,
+                                             GCancellable  *cancellable,
+                                             GError       **error)
+{
+        GsdKerberosIdentityManager *self = GSD_KERBEROS_IDENTITY_MANAGER (initable);
+        krb5_error_code error_code;
+        GError *monitoring_error;
+
+        if (g_cancellable_set_error_if_cancelled (cancellable, error)) {
+                return FALSE;
+        }
+
+        error_code = krb5_init_context (&self->priv->kerberos_context);
+
+        if (error_code != 0) {
+                const char *error_message;
+                error_message = krb5_get_error_message (self->priv->kerberos_context, error_code);
+
+                g_set_error_literal (error,
+                                     GSD_IDENTITY_MANAGER_ERROR,
+                                     GSD_IDENTITY_MANAGER_ERROR_INITIALIZING,
+                                     error_message);
+                krb5_free_error_message (self->priv->kerberos_context, error_message);
+
+                return FALSE;
+        }
+
+        monitoring_error = NULL;
+        if (!monitor_credentials_cache (self, &monitoring_error)) {
+                g_warning ("GsdKerberosIdentityManager: Could not monitor credentials: %s",
+                           monitoring_error->message);
+                g_error_free (monitoring_error);
+        }
+
+        schedule_refresh (self);
+
+        return TRUE;
+}
+
+static void
+initable_interface_init (GInitableIface *interface)
+{
+        interface->init = gsd_kerberos_identity_manager_initable_init;
+}
+
+static void
+gsd_kerberos_identity_manager_init (GsdKerberosIdentityManager *self)
+{
+        self->priv = G_TYPE_INSTANCE_GET_PRIVATE (self,
+                                                  GSD_TYPE_KERBEROS_IDENTITY_MANAGER,
+                                                  GsdKerberosIdentityManagerPrivate);
+        self->priv->identities = g_hash_table_new_full (g_str_hash,
+                                                        g_str_equal,
+                                                        (GDestroyNotify)
+                                                        g_free,
+                                                        (GDestroyNotify)
+                                                        g_object_unref);
+        self->priv->expired_identities = g_hash_table_new_full (g_str_hash,
+                                                                g_str_equal,
+                                                                (GDestroyNotify)
+                                                                g_free,
+                                                                NULL);
+
+        self->priv->identities_by_realm = g_hash_table_new_full (g_str_hash,
+                                                                 g_str_equal,
+                                                                (GDestroyNotify)
+                                                                 g_free,
+                                                                 NULL);
+        self->priv->pending_operations = g_async_queue_new ();
+
+        g_mutex_init (&self->priv->scheduler_job_lock);
+        g_cond_init (&self->priv->scheduler_job_unblocked);
+
+        self->priv->scheduler_cancellable = g_cancellable_new ();
+        g_io_scheduler_push_job ((GIOSchedulerJobFunc)
+                                 on_job_scheduled,
+                                 self,
+                                 NULL,
+                                 G_PRIORITY_DEFAULT,
+                                 self->priv->scheduler_cancellable);
+
+}
+
+static void
+cancel_pending_operations (GsdKerberosIdentityManager *self)
+{
+        Operation *operation;
+
+        operation = g_async_queue_try_pop (self->priv->pending_operations);
+        while (operation != NULL) {
+                if (!g_cancellable_is_cancelled (operation->cancellable)) {
+                        g_cancellable_cancel (operation->cancellable);
+                }
+                operation_free (operation);
+                operation = g_async_queue_try_pop (self->priv->pending_operations);
+        }
+}
+
+static void
+gsd_kerberos_identity_manager_dispose (GObject *object)
+{
+        GsdKerberosIdentityManager *self = GSD_KERBEROS_IDENTITY_MANAGER (object);
+
+        if (self->priv->identities_by_realm != NULL) {
+                g_hash_table_unref (self->priv->identities_by_realm);
+                self->priv->identities_by_realm = NULL;
+        }
+
+        if (self->priv->expired_identities != NULL) {
+                g_hash_table_unref (self->priv->expired_identities);
+                self->priv->expired_identities = NULL;
+        }
+
+        if (self->priv->identities != NULL) {
+                g_hash_table_unref (self->priv->identities);
+                self->priv->identities = NULL;
+        }
+
+        if (self->priv->credentials_cache_monitor != NULL) {
+                stop_watching_credentials_cache (self);
+        }
+
+        if (self->priv->pending_operations != NULL) {
+                cancel_pending_operations (self);
+        }
+
+        if (self->priv->scheduler_cancellable != NULL) {
+                if (!g_cancellable_is_cancelled (self->priv->scheduler_cancellable)) {
+                        g_cancellable_cancel (self->priv->scheduler_cancellable);
+                }
+
+                g_clear_object (&self->priv->scheduler_cancellable);
+        }
+
+        /* Note, other thread may still be holding a local reference to queue
+         * while it shuts down from cancelled scheduler_cancellable above
+         */
+        if (self->priv->pending_operations != NULL) {
+                g_async_queue_unref (self->priv->pending_operations);
+                self->priv->pending_operations = NULL;
+        }
+
+        G_OBJECT_CLASS (gsd_kerberos_identity_manager_parent_class)->dispose (object);
+}
+
+static void
+gsd_kerberos_identity_manager_finalize (GObject *object)
+{
+        GsdKerberosIdentityManager *self = GSD_KERBEROS_IDENTITY_MANAGER (object);
+
+        g_cond_clear (&self->priv->scheduler_job_unblocked);
+        krb5_free_context (self->priv->kerberos_context);
+
+        G_OBJECT_CLASS (gsd_kerberos_identity_manager_parent_class)->finalize (object);
+}
+
+static void
+gsd_kerberos_identity_manager_class_init (GsdKerberosIdentityManagerClass *klass)
+{
+        GObjectClass *object_class = G_OBJECT_CLASS (klass);
+
+        object_class->dispose = gsd_kerberos_identity_manager_dispose;
+        object_class->finalize = gsd_kerberos_identity_manager_finalize;
+
+        g_type_class_add_private (klass, sizeof (GsdKerberosIdentityManagerPrivate));
+}
+
+GsdIdentityManager *
+gsd_kerberos_identity_manager_new (void)
+{
+        GObject *object;
+        GError *error;
+        object = g_object_new (GSD_TYPE_KERBEROS_IDENTITY_MANAGER, NULL);
+
+        error = NULL;
+        if (!g_initable_init (G_INITABLE (object), NULL, &error)) {
+                g_warning ("Could not create kerberos identity manager: %s",
+                           error->message);
+                g_error_free (error);
+                g_object_unref (object);
+                return NULL;
+        }
+
+        return GSD_IDENTITY_MANAGER (object);
+}
+
+static void
+test_on_identity_renewed (GsdIdentityManager  *manager,
+                          GAsyncResult        *result)
+{
+        GError *error;
+
+        error = NULL;
+        gsd_identity_manager_renew_identity_finish (manager,
+                                                    result,
+                                                    &error);
+
+        if (error != NULL) {
+                g_warning ("Could not renew identity: %s",
+                         error->message);
+                g_error_free (error);
+                return;
+        }
+
+        g_message ("identity renewed");
+}
+
+static void
+test_on_identity_needs_renewal (GsdIdentityManager *identity_manager,
+                                GsdIdentity        *identity)
+{
+        g_message ("identity needs renewal");
+        gsd_identity_manager_renew_identity (identity_manager,
+                                             identity,
+                                             NULL,
+                                             (GAsyncReadyCallback)
+                                             test_on_identity_renewed,
+                                             NULL);
+}
+
+static void
+test_on_identity_expired (GsdIdentityManager *identity_manager,
+                          GsdIdentity        *identity)
+{
+        g_message ("identity expired");
+}
+
+void
+gsd_kerberos_identity_manager_start_test (GsdKerberosIdentityManager  *manager,
+                                          GError                     **error)
+{
+
+        g_signal_connect (G_OBJECT (manager),
+                          "identity-needs-renewal",
+                          G_CALLBACK (test_on_identity_needs_renewal),
+                          NULL);
+        g_signal_connect (G_OBJECT (manager),
+                          "identity-expired",
+                          G_CALLBACK (test_on_identity_expired),
+                          NULL);
+}
+
+void
+gsd_kerberos_identity_manager_stop_test (GsdKerberosIdentityManager  *manager,
+                                         GError                     **error)
+{
+        g_signal_handlers_disconnect_by_func (G_OBJECT (manager),
+                                              G_CALLBACK (test_on_identity_needs_renewal),
+                                              NULL);
+}
diff --git a/plugins/identity/gsd-kerberos-identity-manager.h b/plugins/identity/gsd-kerberos-identity-manager.h
new file mode 100644
index 0000000..67271ed
--- /dev/null
+++ b/plugins/identity/gsd-kerberos-identity-manager.h
@@ -0,0 +1,61 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*-
+ *
+ * Copyright (C) 2012 Red Hat, Inc.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Authors: Ray Strode
+ */
+
+#ifndef __GSD_KERBEROS_IDENTITY_MANAGER_H__
+#define __GSD_KERBEROS_IDENTITY_MANAGER_H__
+
+#include <glib.h>
+#include <glib-object.h>
+#include <gio/gio.h>
+
+#include "gsd-identity-manager.h"
+
+G_BEGIN_DECLS
+
+#define GSD_TYPE_KERBEROS_IDENTITY_MANAGER           (gsd_kerberos_identity_manager_get_type ())
+#define GSD_KERBEROS_IDENTITY_MANAGER(obj)           (G_TYPE_CHECK_INSTANCE_CAST (obj, GSD_TYPE_KERBEROS_IDENTITY_MANAGER, GsdKerberosIdentityManager))
+#define GSD_KERBEROS_IDENTITY_MANAGER_CLASS(cls)     (G_TYPE_CHECK_CLASS_CAST (cls, GSD_TYPE_KERBEROS_IDENTITY_MANAGER, GsdKerberosIdentityManagerClass))
+#define GSD_IS_KERBEROS_IDENTITY_MANAGER(obj)        (G_TYPE_CHECK_INSTANCE_TYPE (obj, GSD_TYPE_KERBEROS_IDENTITY_MANAGER))
+#define GSD_IS_KERBEROS_IDENTITY_MANAGER_CLASS(obj)  (G_TYPE_CHECK_CLASS_TYPE (obj, GSD_TYPE_KERBEROS_IDENTITY_MANAGER))
+#define GSD_KERBEROS_IDENTITY_MANAGER_GET_CLASS(obj) (G_TYPE_INSTANCE_GET_CLASS ((obj), GSD_TYPE_KERBEROS_IDENTITY_MANAGER, GsdKerberosIdentityManagerClass))
+
+typedef struct _GsdKerberosIdentityManager           GsdKerberosIdentityManager;
+typedef struct _GsdKerberosIdentityManagerClass      GsdKerberosIdentityManagerClass;
+typedef struct _GsdKerberosIdentityManagerPrivate    GsdKerberosIdentityManagerPrivate; struct _GsdKerberosIdentityManager
+{
+        GObject parent_instance;
+        GsdKerberosIdentityManagerPrivate *priv;
+};
+
+struct _GsdKerberosIdentityManagerClass
+{
+        GObjectClass parent_class;
+};
+
+GType                   gsd_kerberos_identity_manager_get_type  (void);
+GsdIdentityManager*     gsd_kerberos_identity_manager_new       (void);
+
+void                    gsd_kerberos_identity_manager_start_test (GsdKerberosIdentityManager  *manager,
+                                                                  GError                     **error);
+G_END_DECLS
+
+#endif /* __GSD_KERBEROS_IDENTITY_MANAGER_H__ */
diff --git a/plugins/identity/gsd-kerberos-identity.c b/plugins/identity/gsd-kerberos-identity.c
new file mode 100644
index 0000000..293a42e
--- /dev/null
+++ b/plugins/identity/gsd-kerberos-identity.c
@@ -0,0 +1,905 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*-
+ *
+ * Copyright (C) 2012 Red Hat, Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2, or (at your option)
+ * any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Author: Ray Strode
+ */
+
+#include "config.h"
+
+#include "gsd-identity.h"
+#include "gsd-kerberos-identity.h"
+#include "gsd-alarm.h"
+
+#include <string.h>
+#include <glib/gi18n.h>
+#include <gio/gio.h>
+
+typedef enum
+{
+        VERIFICATION_LEVEL_UNVERIFIED,
+        VERIFICATION_LEVEL_ERROR,
+        VERIFICATION_LEVEL_EXISTS,
+        VERIFICATION_LEVEL_SIGNED_IN
+} VerificationLevel;
+
+struct _GsdKerberosIdentityPrivate
+{
+        krb5_context    kerberos_context;
+        krb5_ccache     credentials_cache;
+
+        char           *identifier;
+        char           *cached_principal_name;
+        char           *cached_realm_name;
+        GsdAlarm       *expiration_alarm;
+        GCancellable   *expiration_alarm_cancellable;
+        krb5_timestamp  expiration_time;
+
+        GsdAlarm       *renewal_alarm;
+        GCancellable   *renewal_alarm_cancellable;
+
+        GRecMutex       updates_lock;
+
+        VerificationLevel cached_verification_level;
+};
+
+enum {
+        EXPIRED,
+        UNEXPIRED,
+        NEEDS_RENEWAL,
+        NEEDS_REFRESH,
+        NUMBER_OF_SIGNALS,
+};
+
+static guint signals[NUMBER_OF_SIGNALS] = { 0 };
+
+static void identity_interface_init (GsdIdentityInterface *interface);
+static void initable_interface_init (GInitableIface *interface);
+static void set_expiration_and_renewal_alarms (GsdKerberosIdentity *self);
+
+G_DEFINE_TYPE_WITH_CODE (GsdKerberosIdentity,
+                         gsd_kerberos_identity,
+                         G_TYPE_OBJECT,
+                         G_IMPLEMENT_INTERFACE (GSD_TYPE_IDENTITY,
+                                                identity_interface_init)
+                         G_IMPLEMENT_INTERFACE (G_TYPE_INITABLE,
+                                                initable_interface_init));
+
+static void
+gsd_kerberos_identity_dispose (GObject *object)
+{
+        GsdKerberosIdentity *self = GSD_KERBEROS_IDENTITY (object);
+
+        if (self->priv->renewal_alarm_cancellable != NULL) {
+                if (!g_cancellable_is_cancelled (self->priv->renewal_alarm_cancellable)) {
+                        g_cancellable_cancel (self->priv->renewal_alarm_cancellable);
+                }
+                g_object_unref (self->priv->renewal_alarm_cancellable);
+                self->priv->renewal_alarm_cancellable = NULL;
+        }
+
+        if (self->priv->renewal_alarm != NULL) {
+                g_object_unref (self->priv->renewal_alarm);
+                self->priv->renewal_alarm = NULL;
+        }
+
+        if (self->priv->expiration_alarm_cancellable != NULL) {
+                if (!g_cancellable_is_cancelled (self->priv->expiration_alarm_cancellable)) {
+                        g_cancellable_cancel (self->priv->expiration_alarm_cancellable);
+                }
+                g_object_unref (self->priv->expiration_alarm_cancellable);
+                self->priv->expiration_alarm_cancellable = NULL;
+        }
+
+        if (self->priv->expiration_alarm != NULL) {
+                g_object_unref (self->priv->expiration_alarm);
+                self->priv->expiration_alarm = NULL;
+        }
+}
+
+static void
+gsd_kerberos_identity_finalize (GObject *object)
+{
+        GsdKerberosIdentity *self = GSD_KERBEROS_IDENTITY (object);
+
+        g_free (self->priv->identifier);
+        self->priv->identifier = NULL;
+
+        if (self->priv->credentials_cache != NULL) {
+                krb5_cc_close (self->priv->kerberos_context, self->priv->credentials_cache);
+        }
+
+        G_OBJECT_CLASS (gsd_kerberos_identity_parent_class)->finalize (object);
+}
+
+static void
+gsd_kerberos_identity_class_init (GsdKerberosIdentityClass *klass)
+{
+        GObjectClass *object_class;
+
+        object_class = G_OBJECT_CLASS (klass);
+
+        object_class->dispose = gsd_kerberos_identity_dispose;
+        object_class->finalize = gsd_kerberos_identity_finalize;
+
+        g_type_class_add_private (klass, sizeof (GsdKerberosIdentityPrivate));
+
+        signals[EXPIRED] = g_signal_new ("expired",
+                                         G_TYPE_FROM_CLASS (klass),
+                                         G_SIGNAL_RUN_LAST,
+                                         0,
+                                         NULL, NULL, NULL,
+                                         G_TYPE_NONE, 0);
+        signals[UNEXPIRED] = g_signal_new ("unexpired",
+                                           G_TYPE_FROM_CLASS (klass),
+                                           G_SIGNAL_RUN_LAST,
+                                           0,
+                                           NULL, NULL, NULL,
+                                           G_TYPE_NONE, 0);
+        signals[NEEDS_RENEWAL] = g_signal_new ("needs-renewal",
+                                               G_TYPE_FROM_CLASS (klass),
+                                               G_SIGNAL_RUN_LAST,
+                                               0,
+                                               NULL, NULL, NULL,
+                                               G_TYPE_NONE, 0);
+        signals[NEEDS_REFRESH] = g_signal_new ("needs-refresh",
+                                               G_TYPE_FROM_CLASS (klass),
+                                               G_SIGNAL_RUN_LAST,
+                                               0,
+                                               NULL, NULL, NULL,
+                                               G_TYPE_NONE, 0);
+}
+
+static void
+gsd_kerberos_identity_init (GsdKerberosIdentity *self)
+{
+        self->priv = G_TYPE_INSTANCE_GET_PRIVATE (self,
+                                                  GSD_TYPE_KERBEROS_IDENTITY,
+                                                  GsdKerberosIdentityPrivate);
+        self->priv->expiration_alarm = gsd_alarm_new ();
+        self->priv->renewal_alarm = gsd_alarm_new ();
+
+        g_rec_mutex_init (&self->priv->updates_lock);
+}
+
+static char *
+get_principal_name (GsdKerberosIdentity *self,
+                    gboolean             for_display)
+{
+        krb5_principal principal;
+        krb5_error_code error_code;
+        char *unparsed_name;
+        char *principal_name;
+        int flags;
+
+        if (self->priv->credentials_cache == NULL) {
+                return NULL;
+        }
+
+        error_code = krb5_cc_get_principal (self->priv->kerberos_context,
+                                            self->priv->credentials_cache,
+                                            &principal);
+
+        if (error_code != 0) {
+                const char *error_message;
+                error_message = krb5_get_error_message (self->priv->kerberos_context, error_code);
+                g_debug ("GsdKerberosIdentity: Error looking up principal identity in credential cache: %s", error_message);
+                krb5_free_error_message (self->priv->kerberos_context, error_message);
+                return NULL;
+        }
+
+        if (for_display) {
+                flags = KRB5_PRINCIPAL_UNPARSE_DISPLAY;
+        } else {
+                flags = 0;
+        }
+
+        error_code = krb5_unparse_name_flags (self->priv->kerberos_context,
+                                              principal,
+                                              flags,
+                                              &unparsed_name);
+
+        if (error_code != 0) {
+                const char *error_message;
+
+                error_message = krb5_get_error_message (self->priv->kerberos_context, error_code);
+                g_debug ("GsdKerberosIdentity: Error parsing principal identity name: %s", error_message);
+                krb5_free_error_message (self->priv->kerberos_context, error_message);
+                return NULL;
+        }
+
+        principal_name = g_strdup (unparsed_name);
+        krb5_free_unparsed_name (self->priv->kerberos_context, unparsed_name);
+
+        return principal_name;
+}
+
+char *
+gsd_kerberos_identity_get_principal_name (GsdKerberosIdentity *self)
+{
+        char *principal_name;
+
+        if (self->priv->cached_principal_name == NULL) {
+                self->priv->cached_principal_name = get_principal_name (self, TRUE);
+        }
+        principal_name = g_strdup (self->priv->cached_principal_name);
+
+        return principal_name;
+}
+
+static char *
+get_realm_name (GsdKerberosIdentity *self)
+{
+        krb5_principal principal;
+        krb5_error_code error_code;
+        krb5_data *realm;
+        char *realm_name;
+
+        if (self->priv->credentials_cache == NULL) {
+                return NULL;
+        }
+
+        error_code = krb5_cc_get_principal (self->priv->kerberos_context,
+                                            self->priv->credentials_cache,
+                                            &principal);
+
+        if (error_code != 0) {
+                const char *error_message;
+                error_message = krb5_get_error_message (self->priv->kerberos_context, error_code);
+                g_debug ("GsdKerberosIdentity: Error looking up principal identity in credential cache: %s", error_message);
+                krb5_free_error_message (self->priv->kerberos_context, error_message);
+                return NULL;
+        }
+
+        realm = krb5_princ_realm (self->priv->kerberos_context,
+                                  principal);
+        realm_name = g_strndup (realm->data, realm->length);
+        krb5_free_principal (self->priv->kerberos_context, principal);
+
+        return realm_name;
+}
+
+char *
+gsd_kerberos_identity_get_realm_name (GsdKerberosIdentity *self)
+{
+        char *realm_name;
+
+        if (self->priv->cached_realm_name == NULL) {
+                self->priv->cached_realm_name = get_realm_name (self);
+        }
+        realm_name = g_strdup (self->priv->cached_realm_name);
+
+        return realm_name;
+}
+
+static const char *
+gsd_kerberos_identity_get_identifier (GsdIdentity *identity)
+{
+        GsdKerberosIdentity *self = GSD_KERBEROS_IDENTITY (identity);
+
+        if (self->priv->identifier == NULL) {
+                self->priv->identifier = get_principal_name (self, FALSE);
+        }
+
+        return self->priv->identifier;
+}
+
+static gboolean
+credentials_validate_existence (GsdKerberosIdentity *self,
+                                krb5_principal      principal,
+                                krb5_creds         *credentials)
+{
+        /* Checks if default principal associated with the cache has a valid
+         * ticket granting ticket in the passed in credentials
+         */
+
+        if (krb5_is_config_principal (self->priv->kerberos_context,
+                                      credentials->server)) {
+                return FALSE;
+        }
+
+        /* looking for the krbtgt / REALM pair, so it should be exactly 2 items */
+        if (krb5_princ_size (self->priv->kerberos_context,
+                             credentials->server) != 2) {
+                return FALSE;
+        }
+
+        if (!krb5_realm_compare (self->priv->kerberos_context,
+                                 credentials->server,
+                                 principal)) {
+                /* credentials are from some other realm */
+                return FALSE;
+        }
+
+        if (strncmp (credentials->server->data[0].data,
+                     KRB5_TGS_NAME,
+                     credentials->server->data[0].length) != 0) {
+                /* credentials aren't for ticket granting */
+                return FALSE;
+        }
+
+        if (credentials->server->data[1].length != principal->realm.length ||
+            memcmp (credentials->server->data[1].data,
+                    principal->realm.data,
+                    principal->realm.length) != 0) {
+                /* credentials are for some other realm */
+                return FALSE;
+        }
+
+        return TRUE;
+}
+
+static krb5_timestamp
+get_current_time (GsdKerberosIdentity *self)
+{
+        krb5_timestamp  current_time;
+        krb5_error_code error_code;
+
+        error_code = krb5_timeofday (self->priv->kerberos_context,
+                                     &current_time);
+
+        if (error_code != 0) {
+                const char *error_message;
+
+                error_message = krb5_get_error_message (self->priv->kerberos_context, error_code);
+                g_debug ("GsdKerberosIdentity: Error getting current time: %s", error_message);
+                krb5_free_error_message (self->priv->kerberos_context, error_message);
+                return 0;
+        }
+
+        return current_time;
+}
+
+static gboolean
+credentials_are_expired (GsdKerberosIdentity *self,
+                         krb5_creds          *credentials)
+{
+        krb5_timestamp  current_time;
+
+        current_time = get_current_time (self);
+
+        self->priv->expiration_time = MAX (credentials->times.endtime,
+                                           self->priv->expiration_time);
+
+        if (credentials->times.endtime <= current_time) {
+                return TRUE;
+        }
+
+        return FALSE;
+}
+
+static VerificationLevel
+verify_identity (GsdKerberosIdentity  *self,
+                 GError              **error)
+{
+        krb5_principal principal;
+        const char *error_message;
+        krb5_cc_cursor cursor;
+        krb5_creds credentials;
+        krb5_error_code error_code;
+        VerificationLevel verification_level;
+
+        if (self->priv->credentials_cache == NULL) {
+                return VERIFICATION_LEVEL_UNVERIFIED;
+        }
+
+        error_code = krb5_cc_get_principal (self->priv->kerberos_context,
+                                            self->priv->credentials_cache,
+                                            &principal);
+
+        if (error_code != 0) {
+                error_message = krb5_get_error_message (self->priv->kerberos_context, error_code);
+
+                if (error_code == KRB5_CC_END) {
+                        return VERIFICATION_LEVEL_UNVERIFIED;
+                }
+
+                g_set_error (error,
+                             GSD_IDENTITY_ERROR,
+                             GSD_IDENTITY_ERROR_VERIFYING,
+                             _("Could not find identity in credential cache: %s"),
+                             error_message);
+                krb5_free_error_message (self->priv->kerberos_context, error_message);
+
+                return VERIFICATION_LEVEL_ERROR;
+        }
+
+        error_code = krb5_cc_start_seq_get (self->priv->kerberos_context,
+                                            self->priv->credentials_cache,
+                                            &cursor);
+        if (error_code != 0) {
+                error_message = krb5_get_error_message (self->priv->kerberos_context, error_code);
+                g_set_error (error,
+                             GSD_IDENTITY_ERROR,
+                             GSD_IDENTITY_ERROR_VERIFYING,
+                             _("Could not find identity credentials in cache: %s"),
+                             error_message);
+                krb5_free_error_message (self->priv->kerberos_context, error_message);
+
+                verification_level = VERIFICATION_LEVEL_ERROR;
+                goto out;
+        }
+
+        verification_level = VERIFICATION_LEVEL_UNVERIFIED;
+
+        error_code = krb5_cc_next_cred (self->priv->kerberos_context,
+                                        self->priv->credentials_cache,
+                                        &cursor,
+                                        &credentials);
+
+        while (error_code == 0) {
+                if (credentials_validate_existence (self, principal, &credentials)) {
+                        if (!credentials_are_expired (self, &credentials)) {
+                                verification_level = VERIFICATION_LEVEL_SIGNED_IN;
+                        } else {
+                                verification_level = VERIFICATION_LEVEL_EXISTS;
+                        }
+                }
+
+                error_code = krb5_cc_next_cred (self->priv->kerberos_context,
+                                                self->priv->credentials_cache,
+                                                &cursor,
+                                                &credentials);
+        }
+
+        if (error_code != KRB5_CC_END) {
+                verification_level = VERIFICATION_LEVEL_ERROR;
+
+                error_message = krb5_get_error_message (self->priv->kerberos_context, error_code);
+                g_set_error (error,
+                             GSD_IDENTITY_ERROR,
+                             GSD_IDENTITY_ERROR_VERIFYING,
+                             _("Could not sift through identity credentials in cache: %s"),
+                             error_message);
+                krb5_free_error_message (self->priv->kerberos_context, error_message);
+                goto out;
+        }
+
+        error_code = krb5_cc_end_seq_get (self->priv->kerberos_context,
+                                          self->priv->credentials_cache,
+                                          &cursor);
+
+        if (error_code != 0) {
+                verification_level = VERIFICATION_LEVEL_ERROR;
+
+                error_message = krb5_get_error_message (self->priv->kerberos_context, error_code);
+                g_set_error (error,
+                             GSD_IDENTITY_ERROR,
+                             GSD_IDENTITY_ERROR_VERIFYING,
+                             _("Could not finish up sifting through identity credentials in cache: %s"),
+                             error_message);
+                krb5_free_error_message (self->priv->kerberos_context, error_message);
+                goto out;
+        }
+out:
+        krb5_free_principal (self->priv->kerberos_context, principal);
+        return verification_level;
+}
+
+static gboolean
+gsd_kerberos_identity_is_signed_in (GsdIdentity *identity)
+{
+        GsdKerberosIdentity *self = GSD_KERBEROS_IDENTITY (identity);
+        VerificationLevel verification_level;
+
+        verification_level = verify_identity (self, NULL);
+
+        return verification_level == VERIFICATION_LEVEL_SIGNED_IN;
+}
+
+static void
+identity_interface_init (GsdIdentityInterface *interface)
+{
+        interface->get_identifier = gsd_kerberos_identity_get_identifier;
+        interface->is_signed_in = gsd_kerberos_identity_is_signed_in;
+}
+
+static void
+on_expiration_alarm_fired (GsdAlarm            *alarm,
+                           GsdKerberosIdentity *self)
+{
+        g_return_if_fail (GSD_IS_ALARM (alarm));
+        g_return_if_fail (GSD_IS_KERBEROS_IDENTITY (self));
+
+        g_debug ("GsdKerberosIdentity: expiration alarm fired");
+        g_signal_emit (G_OBJECT (self), signals[NEEDS_REFRESH], 0);
+}
+
+static void
+on_expiration_alarm_rearmed (GsdAlarm            *alarm,
+                             GsdKerberosIdentity *self)
+{
+        g_return_if_fail (GSD_IS_ALARM (alarm));
+        g_return_if_fail (GSD_IS_KERBEROS_IDENTITY (self));
+
+        g_debug ("GsdKerberosIdentity: expiration alarm rearmed");
+        g_signal_emit (G_OBJECT (self), signals[NEEDS_REFRESH], 0);
+}
+
+static void
+on_renewal_alarm_rearmed (GsdAlarm            *alarm,
+                          GsdKerberosIdentity *self)
+{
+        g_return_if_fail (GSD_IS_ALARM (alarm));
+        g_return_if_fail (GSD_IS_KERBEROS_IDENTITY (self));
+
+        g_debug ("GsdKerberosIdentity: renewal alarm rearmed");
+        g_signal_emit (G_OBJECT (self), signals[NEEDS_REFRESH], 0);
+}
+
+static void
+on_renewal_alarm_fired (GsdAlarm            *alarm,
+                        GsdKerberosIdentity *self)
+{
+        g_return_if_fail (GSD_IS_ALARM (alarm));
+        g_return_if_fail (GSD_IS_KERBEROS_IDENTITY (self));
+
+        if (self->priv->renewal_alarm_cancellable != NULL) {
+                g_object_unref (self->priv->renewal_alarm_cancellable);
+                self->priv->renewal_alarm_cancellable = NULL;
+        }
+
+        if (self->priv->cached_verification_level == VERIFICATION_LEVEL_SIGNED_IN) {
+                g_debug ("GsdKerberosIdentity: renewal alarm fired for signed-in identity");
+                g_signal_emit (G_OBJECT (self), signals[NEEDS_RENEWAL], 0);
+        }
+}
+
+static void
+set_expiration_and_renewal_alarms (GsdKerberosIdentity *self)
+{
+        GDateTime    *now;
+        GDateTime    *expiration_time, *old_expiration_time;
+        GDateTime    *renewal_time, *old_renewal_time;
+        GTimeSpan     time_span_until_expiration;
+
+        now = g_date_time_new_now_local ();
+        expiration_time = g_date_time_new_from_unix_local (self->priv->expiration_time);
+        time_span_until_expiration = g_date_time_difference (expiration_time, now);
+        renewal_time = g_date_time_add (expiration_time,
+                                        - (time_span_until_expiration / 2));
+
+        g_signal_handlers_disconnect_by_func (G_OBJECT (self->priv->renewal_alarm),
+                                              G_CALLBACK (on_renewal_alarm_fired),
+                                              self);
+        g_signal_handlers_disconnect_by_func (G_OBJECT (self->priv->expiration_alarm),
+                                              G_CALLBACK (on_expiration_alarm_fired),
+                                              self);
+        g_signal_connect (G_OBJECT (self->priv->renewal_alarm),
+                          "fired",
+                          G_CALLBACK (on_renewal_alarm_fired),
+                          self);
+        g_signal_connect (G_OBJECT (self->priv->expiration_alarm),
+                          "fired",
+                          G_CALLBACK (on_expiration_alarm_fired),
+                          self);
+        g_signal_handlers_disconnect_by_func (G_OBJECT (self->priv->renewal_alarm),
+                                              G_CALLBACK (on_renewal_alarm_rearmed),
+                                              self);
+        g_signal_handlers_disconnect_by_func (G_OBJECT (self->priv->expiration_alarm),
+                                              G_CALLBACK (on_expiration_alarm_rearmed),
+                                              self);
+        g_signal_connect (G_OBJECT (self->priv->renewal_alarm),
+                          "rearmed",
+                          G_CALLBACK (on_renewal_alarm_rearmed),
+                          self);
+        g_signal_connect (G_OBJECT (self->priv->expiration_alarm),
+                          "rearmed",
+                          G_CALLBACK (on_expiration_alarm_rearmed),
+                          self);
+
+        old_renewal_time = gsd_alarm_get_time (self->priv->renewal_alarm);
+        if (old_renewal_time == NULL ||
+            !g_date_time_equal (renewal_time, old_renewal_time)) {
+                GCancellable *cancellable;
+
+                cancellable = g_cancellable_new ();
+                gsd_alarm_set_time (self->priv->renewal_alarm,
+                                    renewal_time,
+                                    cancellable);
+                g_date_time_unref (renewal_time);
+
+                if (self->priv->renewal_alarm_cancellable != NULL) {
+                        g_object_unref (self->priv->renewal_alarm_cancellable);
+                        self->priv->renewal_alarm_cancellable = cancellable;
+                }
+        }
+
+        old_expiration_time = gsd_alarm_get_time (self->priv->expiration_alarm);
+        if (old_expiration_time == NULL ||
+            !g_date_time_equal (expiration_time, old_expiration_time)) {
+                GCancellable *cancellable;
+
+                cancellable = g_cancellable_new ();
+                gsd_alarm_set_time (self->priv->expiration_alarm,
+                                    expiration_time,
+                                    cancellable);
+                g_date_time_unref (expiration_time);
+
+                if (self->priv->expiration_alarm_cancellable != NULL) {
+                        g_object_unref (self->priv->expiration_alarm_cancellable);
+                        self->priv->expiration_alarm_cancellable = cancellable;
+                }
+        }
+
+}
+
+static gboolean
+gsd_kerberos_identity_initable_init (GInitable      *initable,
+                                     GCancellable   *cancellable,
+                                     GError        **error)
+{
+        GsdKerberosIdentity *self = GSD_KERBEROS_IDENTITY (initable);
+        GError *verification_error;
+
+        if (g_cancellable_set_error_if_cancelled (cancellable, error)) {
+                return FALSE;
+        }
+
+        verification_error = NULL;
+        self->priv->cached_verification_level = verify_identity (self, &verification_error);
+
+        switch (self->priv->cached_verification_level) {
+                case VERIFICATION_LEVEL_EXISTS:
+                        set_expiration_and_renewal_alarms (self);
+                        return TRUE;
+
+                case VERIFICATION_LEVEL_SIGNED_IN:
+                        set_expiration_and_renewal_alarms (self);
+                        return TRUE;
+
+                case VERIFICATION_LEVEL_ERROR:
+                        g_propagate_error (error, verification_error);
+                        return FALSE;
+
+                case VERIFICATION_LEVEL_UNVERIFIED:
+                default:
+                        g_set_error (error,
+                                     GSD_IDENTITY_ERROR,
+                                     GSD_IDENTITY_ERROR_VERIFYING,
+                                     _("No associated identification found"));
+                    return FALSE;
+        }
+}
+
+static void
+initable_interface_init (GInitableIface *interface)
+{
+        interface->init = gsd_kerberos_identity_initable_init;
+}
+
+void
+gsd_kerberos_identity_update (GsdKerberosIdentity *self,
+                              GsdKerberosIdentity *new_identity)
+{
+        char *new_principal_name;
+        VerificationLevel verification_level;
+
+        if (self->priv->credentials_cache != NULL) {
+                krb5_cc_close (self->priv->kerberos_context, self->priv->credentials_cache);
+        }
+        krb5_cc_dup (new_identity->priv->kerberos_context,
+                     new_identity->priv->credentials_cache,
+                     &self->priv->credentials_cache);
+
+        new_principal_name = get_principal_name (self, FALSE);
+        if (g_strcmp0 (self->priv->identifier, new_principal_name) != 0) {
+                g_free (self->priv->identifier);
+                self->priv->identifier = new_principal_name;
+        } else {
+                g_free (new_principal_name);
+        }
+
+        g_free (self->priv->cached_realm_name);
+        self->priv->cached_realm_name = get_realm_name (self);
+
+        g_free (self->priv->cached_principal_name);
+        self->priv->cached_principal_name = get_principal_name (self, TRUE);
+
+        verification_level = verify_identity (self, NULL);
+
+        if (verification_level == VERIFICATION_LEVEL_SIGNED_IN) {
+                set_expiration_and_renewal_alarms (self);
+        } else {
+                if (!g_cancellable_is_cancelled (self->priv->renewal_alarm_cancellable)) {
+                        g_cancellable_cancel (self->priv->renewal_alarm_cancellable);
+                }
+
+                if (!g_cancellable_is_cancelled (self->priv->expiration_alarm_cancellable)) {
+                        g_cancellable_cancel (self->priv->expiration_alarm_cancellable);
+                }
+        }
+
+        if (verification_level != self->priv->cached_verification_level) {
+                if (self->priv->cached_verification_level == VERIFICATION_LEVEL_SIGNED_IN &&
+                    verification_level == VERIFICATION_LEVEL_EXISTS) {
+                        g_signal_emit (G_OBJECT (self), signals[EXPIRED], 0);
+                } if (self->priv->cached_verification_level == VERIFICATION_LEVEL_EXISTS &&
+                      verification_level == VERIFICATION_LEVEL_SIGNED_IN) {
+                        g_signal_emit (G_OBJECT (self), signals[UNEXPIRED], 0);
+                }
+
+                self->priv->cached_verification_level = verification_level;
+        }
+}
+
+gboolean
+gsd_kerberos_identity_renew (GsdKerberosIdentity  *self,
+                             GError              **error)
+{
+        krb5_error_code error_code = 0;
+        krb5_principal principal;
+        krb5_creds new_credentials;
+        gboolean renewed = FALSE;
+        char *name = NULL;
+
+        if (self->priv->credentials_cache == NULL) {
+                g_set_error (error,
+                             GSD_IDENTITY_ERROR,
+                             GSD_IDENTITY_ERROR_RENEWING,
+                             _("Could not renew identitys: Not signed in"));
+                goto out;
+        }
+
+
+        error_code = krb5_cc_get_principal (self->priv->kerberos_context,
+                                            self->priv->credentials_cache,
+                                            &principal);
+
+        if (error_code != 0) {
+                const char *error_message;
+                error_message = krb5_get_error_message (self->priv->kerberos_context, error_code);
+                g_set_error (error,
+                             GSD_IDENTITY_ERROR,
+                             GSD_IDENTITY_ERROR_RENEWING,
+                             _("Could not renew identity: %s"), error_message);
+
+                krb5_free_error_message (self->priv->kerberos_context, error_message);
+                goto out;
+        }
+
+        name = gsd_kerberos_identity_get_principal_name (self);
+
+        error_code = krb5_get_renewed_creds (self->priv->kerberos_context,
+                                             &new_credentials,
+                                             principal,
+                                             self->priv->credentials_cache,
+                                             NULL);
+        if (error_code != 0) {
+                const char *error_message;
+                error_message = krb5_get_error_message (self->priv->kerberos_context, error_code);
+
+                g_set_error (error,
+                             GSD_IDENTITY_ERROR,
+                             GSD_IDENTITY_ERROR_RENEWING,
+                             _("Could not get new credentials to renew identity %s: %s"),
+                             name,
+                             error_message);
+                krb5_free_error_message (self->priv->kerberos_context, error_message);
+                krb5_free_principal (self->priv->kerberos_context, principal);
+                goto out;
+        }
+
+        error_code = krb5_cc_initialize (self->priv->kerberos_context,
+                                         self->priv->credentials_cache,
+                                         principal);
+        if (error_code != 0) {
+                const char *error_message;
+                error_message = krb5_get_error_message (self->priv->kerberos_context, error_code);
+
+                g_set_error (error,
+                             GSD_IDENTITY_ERROR,
+                             GSD_IDENTITY_ERROR_RENEWING,
+                             _("Could not reinitialize credentials cache to renew identity %s: %s"),
+                             name,
+                             error_message);
+                krb5_free_error_message (self->priv->kerberos_context, error_message);
+                krb5_free_principal (self->priv->kerberos_context, principal);
+                krb5_free_cred_contents (self->priv->kerberos_context, &new_credentials);
+                goto out;
+        }
+
+        krb5_free_principal (self->priv->kerberos_context, principal);
+
+        error_code = krb5_cc_store_cred (self->priv->kerberos_context,
+                                         self->priv->credentials_cache,
+                                         &new_credentials);
+
+        if (error_code != 0) {
+                const char *error_message;
+                error_message = krb5_get_error_message (self->priv->kerberos_context, error_code);
+
+                g_set_error (error,
+                             GSD_IDENTITY_ERROR,
+                             GSD_IDENTITY_ERROR_RENEWING,
+                             _("Could not store new credentials in credentials cache to renew identity %s: %s"),
+                             name,
+                             error_message);
+                krb5_free_error_message (self->priv->kerberos_context, error_message);
+                krb5_free_cred_contents (self->priv->kerberos_context, &new_credentials);
+                goto out;
+        }
+        krb5_free_cred_contents (self->priv->kerberos_context, &new_credentials);
+
+        g_debug ("GsdKerberosIdentity: identity %s renewed\n", name);
+        renewed = TRUE;
+out:
+        g_free (name);
+
+        return renewed;
+}
+
+gboolean
+gsd_kerberos_identity_erase  (GsdKerberosIdentity  *self,
+                              GError              **error)
+{
+        krb5_error_code error_code = 0;
+
+        if (self->priv->credentials_cache != NULL) {
+                error_code = krb5_cc_destroy (self->priv->kerberos_context,
+                                              self->priv->credentials_cache);
+                self->priv->credentials_cache = NULL;
+        }
+
+        if (error_code != 0) {
+                const char *error_message;
+                error_message = krb5_get_error_message (self->priv->kerberos_context, error_code);
+
+                g_set_error (error,
+                             GSD_IDENTITY_ERROR,
+                             GSD_IDENTITY_ERROR_ERASING,
+                             _("Could not erase identity: %s"),
+                             error_message);
+                krb5_free_error_message (self->priv->kerberos_context, error_message);
+                return FALSE;
+        }
+
+        return TRUE;
+}
+
+GsdIdentity *
+gsd_kerberos_identity_new (krb5_context context,
+                           krb5_ccache  cache)
+{
+        GsdKerberosIdentity *self;
+        GError *error;
+
+        self = GSD_KERBEROS_IDENTITY (g_object_new (GSD_TYPE_KERBEROS_IDENTITY, NULL));
+
+        krb5_cc_dup (context,
+                     cache,
+                     &self->priv->credentials_cache);
+        self->priv->kerberos_context = context;
+
+        error = NULL;
+        if (!g_initable_init (G_INITABLE (self), NULL, &error)) {
+                const char *name;
+
+                name = krb5_cc_get_name (context,
+                                         cache);
+                g_debug ("Could not build identity%s%s: %s",
+                         name != NULL? " from credentials cache " : "",
+                         name != NULL? name : "",
+                         error->message);
+                g_error_free (error);
+                g_object_unref (self);
+                return NULL;
+        }
+
+        return GSD_IDENTITY (self);
+}
diff --git a/plugins/identity/gsd-kerberos-identity.h b/plugins/identity/gsd-kerberos-identity.h
new file mode 100644
index 0000000..32d77fd
--- /dev/null
+++ b/plugins/identity/gsd-kerberos-identity.h
@@ -0,0 +1,85 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*-
+ *
+ * Copyright (C) 2012 Red Hat, Inc.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Authors: Ray Strode
+ */
+
+#ifndef __GSD_KERBEROS_IDENTITY_H__
+#define __GSD_KERBEROS_IDENTITY_H__
+
+#include <glib.h>
+#include <glib-object.h>
+
+#include <krb5.h>
+
+G_BEGIN_DECLS
+
+#define GSD_TYPE_KERBEROS_IDENTITY             (gsd_kerberos_identity_get_type ())
+#define GSD_KERBEROS_IDENTITY(obj)             (G_TYPE_CHECK_INSTANCE_CAST ((obj), GSD_TYPE_KERBEROS_IDENTITY, GsdKerberosIdentity))
+#define GSD_KERBEROS_IDENTITY_CLASS(klass)     (G_TYPE_CHECK_CLASS_CAST ((klass), GSD_TYPE_KERBEROS_IDENTITY, GsdKerberosIdentityClass))
+#define GSD_IS_KERBEROS_IDENTITY(obj)          (G_TYPE_CHECK_INSTANCE_TYPE ((obj), GSD_TYPE_KERBEROS_IDENTITY))
+#define GSD_IS_KERBEROS_IDENTITY_CLASS(klass)  (G_TYPE_CHECK_CLASS_TYPE ((klass), GSD_TYPE_KERBEROS_IDENTITY))
+#define GSD_KERBEROS_IDENTITY_GET_CLASS(obj)   (G_TYPE_INSTANCE_GET_CLASS((obj), GSD_TYPE_KERBEROS_IDENTITY, GsdKerberosIdentityClass))
+
+typedef struct _GsdKerberosIdentity        GsdKerberosIdentity;
+typedef struct _GsdKerberosIdentityClass   GsdKerberosIdentityClass;
+typedef struct _GsdKerberosIdentityPrivate GsdKerberosIdentityPrivate;
+typedef enum _GsdKerberosIdentityDescriptionLevel GsdKerberosIdentityDescriptionLevel;
+
+enum _GsdKerberosIdentityDescriptionLevel
+{
+        GSD_KERBEROS_IDENTITY_DESCRIPTION_REALM,
+        GSD_KERBEROS_IDENTITY_DESCRIPTION_USERNAME_AND_REALM,
+        GSD_KERBEROS_IDENTITY_DESCRIPTION_USERNAME_ROLE_AND_REALM
+};
+
+struct _GsdKerberosIdentity
+{
+        GObject            parent;
+
+        GsdKerberosIdentityPrivate *priv;
+};
+
+struct _GsdKerberosIdentityClass
+{
+        GObjectClass parent_class;
+};
+
+GType         gsd_kerberos_identity_get_type (void);
+
+void          gsd_kerberos_identity_lock     (void);
+void          gsd_kerberos_identity_unlock   (void);
+GsdIdentity  *gsd_kerberos_identity_new      (krb5_context  kerberos_context,
+                                              krb5_ccache   cache);
+
+void          gsd_kerberos_identity_update (GsdKerberosIdentity *identity,
+                                            GsdKerberosIdentity *new_identity);
+gboolean      gsd_kerberos_identity_renew  (GsdKerberosIdentity *self,
+                                            GError             **error);
+gboolean      gsd_kerberos_identity_erase  (GsdKerberosIdentity *self,
+                                            GError             **error);
+
+char         *gsd_kerberos_identity_get_principal_name (GsdKerberosIdentity *self);
+char         *gsd_kerberos_identity_get_realm_name     (GsdKerberosIdentity *self);
+
+void          gsd_kerberos_identity_block_updates (GsdKerberosIdentity *identity);
+void          gsd_kerberos_identity_stop_blocking_updates (GsdKerberosIdentity *identity);
+G_END_DECLS
+
+#endif /* __GSD_KERBEROS_IDENTITY_H__ */
diff --git a/plugins/identity/identity.gnome-settings-plugin.in b/plugins/identity/identity.gnome-settings-plugin.in
new file mode 100644
index 0000000..1511abd
--- /dev/null
+++ b/plugins/identity/identity.gnome-settings-plugin.in
@@ -0,0 +1,8 @@
+[GNOME Settings Plugin]
+Module=identity
+IAge=0
+_Name=Identity
+_Description=Identity plugin
+Authors=Ray Strode
+Copyright=Copyright  2012 Red Hat, Inc.
+Website=
diff --git a/plugins/identity/test-identity.c b/plugins/identity/test-identity.c
new file mode 100644
index 0000000..b8135e0
--- /dev/null
+++ b/plugins/identity/test-identity.c
@@ -0,0 +1,7 @@
+#define NEW gsd_kerberos_identity_manager_new
+#define START gsd_kerberos_identity_manager_start_test
+#define STOP  gsd_kerberos_identity_manager_stop_test
+#define MANAGER GsdKerberosIdentityManager
+#include "gsd-kerberos-identity-manager.h"
+
+#include "test-plugin.h"



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]