Re: Future of krb5 authentication

* Gregory Stark (stark(at)enterprisedb(dot)com) wrote:
> Am I right in thinking that while the client<->postgres protocol may be the
> same the actual authentication tokens are different? That is, if you have a
> Windows Active Directory server then using SSPI will use your Windows
> credentials obtained from that server to log you in whereas if you used the
> MIT GSSAPI library it would try to use your Kerberos tickets for which it would
> look elsewhere?

This *can* be true, and in fact is *exactly* what I do. The MIT client
comes with an option (enabled by default actually) to sync up the MIT
ticket cache with the SSPI one though.

> What confuses me here is that I don't understand how this relates to
> applications. You keep talking about using the connection string which may be
> appropriate for a user-oriented application like psql. But in the general case
> surely the application needs to be able to control the authentication process
> and be able to provide credentials of its choice?

We're talking about user-oriented applications... Specifically things
like psql and Postgres ODBC, which use user's credentials to connect to
the database and don't have their own credentials...

Thanks,

Stephen