From: | Daniel <dah00002000(at)yahoo(dot)co(dot)uk> |
---|---|
To: | pgsql-hackers(at)postgresql(dot)org |
Subject: | Kerberos principal to dbuser mapping |
Date: | 2002-05-15 12:43:32 |
Message-ID: | 20020515124332.53313.qmail@web21504.mail.yahoo.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
The current implementation of the kerberos 5
authentification in backend/libpq/auth.c truncates the
principal after the first '/' or failing that, after
the first '@', assuming the result to be the database
username. This implicitly allows crossrealm
autentification which is not good in many instances.
Even more seriously, it discards parts following any
'/' which is definatelly very bad in many instances.
This is not satisfactory for some (I would think most)
applications. A solution to this would be mapping
kerberos principals to usernames in the database. (As
e.g ~username/.k5login determines which principals are
authorized to login as username.) Idealy this mapping
table should be a system table in the database (and
not a specialized file like the current implementation
of pg_ident.conf). Is this a stupid idea? Any
comments?
I do have a few my questions regarding an
implementation of this.
Is there any existing way of making queries from
postmaster (other than setting up a client connection
from it)?
Is there a reason pg_ident.conf and pg_hba.conf are
files rather than tables?
Is there any reason not doing authentification of both
the client and the server?
Grateful for answers and comments
Daniel
__________________________________________________
Do You Yahoo!?
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts
http://uk.my.yahoo.com
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2002-05-15 14:13:17 | Re: Kerberos principal to dbuser mapping |
Previous Message | Rod Taylor | 2002-05-15 11:55:03 | Re: Array iterators |