Re: Patch to add Heimdal kerberos support

From: Bill Studenmund <wrstuden(at)netbsd(dot)org>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: <pgsql-patches(at)postgresql(dot)org>
Subject: Re: Patch to add Heimdal kerberos support
Date: 2001-11-14 07:19:56
Message-ID: Pine.NEB.4.33.0111132237520.28216-100000@vespasia.home-net.internetconnect.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-patches

On Tue, 13 Nov 2001, Tom Lane wrote:

> I still wonder whether there isn't some documented API (common to both
> MIT and Heimdal) for extracting the client principal from a ticket.
> I mean, that's almost the entire reason for getting the ticket in the
> first place; you can hardly argue that this is not core functionality.
> I find it hard to believe that Heimdal hasn't duplicated the standard
> way of getting the principal from a ticket. I can believe that we
> weren't *using* the standard way, however...

I've been digging into this, and I think the problem is there is no
standard way to do what we're doing. It is a flaw in the design of the
specs and the krb5_unparse_name() routine.

There are however other ways to do what we want.

First off, I think the comment about pg_an_to_ln is wrong; if you have
some sort of goofy multi-part name (like the example out of X.400 hell,
"ORGANIZATION=U. C. Berkeley/NAME=Paul M. Aoki(at)CS(dot)BERKELEY(dot)EDU" *AND* your
kerberos lib isn't set up to deal with it (krb5_aname_to_localname()
punts), why should PostgreSQL let you in?

Oh, the comment is also very old. It's from version 1.1 of the file,
checked in in 1996. Everything else changed, so I'd expect that if you are
using X.400 names like the horror above, well, you are 1) using MIT, and
2) you can set things up right (or at least there is documentation to show
you how).

(Heimdal supports single-component names, or two-component names where the
second name is root. In the latter case, the name is taken as root.)

Dang. I've been fussing with code for a bit, and realised that while there
are ways we can get rid of the use of krb5_aname_to_localname, we still
have to reach in the received ticket and pull out the principal in a
non-standard way.

Take care,

Bill

In response to

Browse pgsql-patches by date

  From Date Subject
Next Message Peter Eisentraut 2001-11-14 16:24:09 Re: Patch to add Heimdal kerberos support
Previous Message Barry Lind 2001-11-14 04:11:47 Re: [PATCHES] absolute() error with jdbc7.1-1.2