Re: JDBC and GSSAPI/Krb5

On Thu, 24 Jan 2008, Peter Koczan wrote:

> Hello again, has there been progress on this? As I said before I'm
> willing to be a beta tester for this.
>

I've hacked together a prototype and can successfully authenticate against
a gssapi configured server. It needs a fair amount of cleanup, but there
are some more fundamental questions about what configuration options we
need:

1) Do we need a way for the user to uniquely name the application for the
JAAS LoginContext or can we get away with something generic like pgjdbc?
The application name is needed for the JAAS login configuration file which
is needed to enable the krb5 ticket cache. I'm not sure what else would
need to be configured or why you might want to do it differently for
different applications.

2) Do we need to allow the user to configure their own LoginContext
CallbackHandler to enter a username/password if they don't have an
existing entry in their ticket cache? Should we by default just try to
use the username and password provided in the connection parameters?

3) Do we need a way for the user to specify the server's service name
(what libpq calls PGKRBSRVNAME)? I think this is useful if you're running
two pg servers on the same machine and want to have different rules for
each one, but I'm not entirely sure about that.

Kris Jurka