| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Bill Studenmund <wrstuden(at)netbsd(dot)org> |
| Cc: | pgsql-patches(at)postgresql(dot)org |
| Subject: | Re: Patch to add Heimdal kerberos support |
| Date: | 2001-11-12 23:52:42 |
| Message-ID: | 29283.1005609162@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-patches |
Bill Studenmund <wrstuden(at)netbsd(dot)org> writes:
> Attached please find a patch to make Postgres compile with Heimdal krb5
> support. This patch adds a new option, --with-heimdal. "--with-krb5" now
> implies MIT krb5 support.
Couldn't we do this in a way that doesn't require a user configure switch?
--- src/backend/libpq/auth.c 2001/10/28 06:25:44 1.71
+++ src/backend/libpq/auth.c 2001/11/12 22:32:00
@@ -229,7 +229,7 @@
" Kerberos error %d\n", retval);
com_err("postgres", retval,
"while getting server principal for service %s",
- pg_krb_server_keyfile);
+ PG_KRB_SRVNAM);
krb5_kt_close(pg_krb5_context, pg_krb5_keytab);
This change seems like a step backwards.
krb5_free_context(pg_krb5_context);
return STATUS_ERROR;
@@ -283,8 +283,13 @@
*
* I have no idea why this is considered necessary.
*/
+#ifdef KRB5_MIT
retval = krb5_unparse_name(pg_krb5_context,
ticket->enc_part2->client, &kusername);
+#else
+ retval = krb5_unparse_name(pg_krb5_context,
+ ticket->client, &kusername);
+#endif
If this is the only code change needed, couldn't we dispense with it
somehow? I notice that the previous authors of this code had grave
doubts about comparing the username at all. I don't know much about
Kerberos' security model --- is the fact that we got a ticket sufficient
authentication, and if not why not?
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bill Studenmund | 2001-11-13 00:03:51 | Re: Patch to add Heimdal kerberos support |
| Previous Message | Hiroshi Inoue | 2001-11-12 23:48:03 | Re: ALTER TABLE RENAME fix |