Re: SSPI authentication

* Magnus Hagander (magnus(at)hagander(dot)net) wrote:
> > The way this is handled in a number of other applications (putty being
> > the one that comes to mind easily) is that two DLLs are built- one for
> > SSPI and one for GSSAPI and you can easily switch between them on the
> > client. That'd work fine for us.
>
> Well, that you can do - you just need one libpq with sspi and one with
> gssapi.

If both are made available then I think that'd work fine for us. I'm
concerned that the windows builds wouldn't include a version of libpq w/
GSSAPI... If I was confident that we could easily build it ourselves
then I wouldn't care as much but, since I've never had to build libpq on
Windows before, I'm not sure what effort is involved or what tools are
required. I'm also not thrilled by the prospect. :)

> > I don't like the idea of having to rebuild things under Windows,
> > honestly.. Not that I like to build anything these days... If it's not
> > enabled by default in some way I expect that it'd get 'forgotten'.
>
> Ok, so looking at it from the other direction, say we wanted to support
> both. Then we need to invent a new way for the client to tell libpq
> which one to use. I think that's sensible if it's a common thing, but I
> still see it as a *very* narrow use-case that needs both in the same DLL.
> Or do you have a better idea on how to solve that?

Supporting both is actually exactly what Mozilla does... Check out the
'network.auth.use-sspi' flag in about:config. It's also what KfW does
"Include Windows LSA cache" and "Import windows credentials", which has
the interesting option of "only when principals match". I'm not sure if
there's a sane way to test at run-time if KfW exists but its existance
could be used as a factor. I have to admit that this does kind of make
me wish a bit for a 'libpq config file' even though I'm generally against
such things. Having the same easy switch as we do w/ Mozilla would be
really nice.

Thanks,

Stephen