Re: [HACKERS] Postgres 8.1.x and MIT Kerberos 5

From: "Magnus Hagander" <mha(at)sollentuna(dot)net>
To: "Stephen Frost" <sfrost(at)snowman(dot)net>
Cc: "Mohan Anon" <mohan(dot)anon(at)gmail(dot)com>, <pgsql-hackers(at)postgresql(dot)org>, <pgsql-admin(at)postgresql(dot)org>
Subject: Re: [HACKERS] Postgres 8.1.x and MIT Kerberos 5
Date: 2006-02-05 15:57:08
Message-ID: 6BCB9D8A16AC4241919521715F4D8BCE92EA40@algol.sollentuna.se
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-admin pgsql-hackers

> > The *REALM* is not checked, however. This can cause problems if you
> > have a multi-realm system (where the realms already trust
> each other,
> > because the KDC has to give out the service ticket) where
> you have the
> > same username existing in multiple realms representing
> different users.
>
> This brings up the issue again that it'd be nice to be able
> to have what amounts to a '.k5login' in PostgreSQL somehow.
> Ideally, this would be something an idividual user could set
> up but at good first step would be to have something along
> the lines of pg_ident.conf for Kerberos connections where the
> admin could implement a mapping.
>
> We should probably also have a configurable option to check
> the realm or to not check the realm. I'd like to look into
> doing this for 8.2 but, as usual, I'm not sure I'll have
> time. Anyone else looking into this?

They're both on my personal TODO (not .k5login, but a
pg_ident-kind-of-mapping), but with the same disclaimer as you - I don't
know if I'll have enough time.

//Magnus

Browse pgsql-admin by date

  From Date Subject
Next Message lrotger 2006-02-06 10:05:05 Actual expression of a constraint
Previous Message Stephen Frost 2006-02-05 15:51:56 Re: [HACKERS] Postgres 8.1.x and MIT Kerberos 5

Browse pgsql-hackers by date

  From Date Subject
Next Message Tom Lane 2006-02-05 16:02:47 Re: drop if exists remainder
Previous Message Stephen Frost 2006-02-05 15:51:56 Re: [HACKERS] Postgres 8.1.x and MIT Kerberos 5