| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | krb_match_realm patch |
| Date: | 2007-11-01 14:41:51 |
| Message-ID: | 20071101144151.GU5031@tamriel.snowman.net |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Greetings,
Regarding Magnus' patch for matching against the Kerberos realm- I'd
see it as much more useful as a multi-value configuration option.
Perhaps 'krb_alt_realms' or 'krb_realms'. This would look like:
Match against one, and only one, realm (does not have to be the realm
the server is in, that's dealt with seperately):
krb_realms = 'ABC.COM'
Don't worry about the realm ever:
krb_realms = '' # default, to match current krb5
Match against multiple realms:
krb_realms = 'ABC.COM, DEF.ABC.COM'
Note that using multiple realms implies either no overlap, or that
overlap means the same person.
Additionally, I feel we should have an explicit 'krb_strip_realm'
boolean option to enable this behaviour. If 'krb_strip_realm' is
'false' then the full user(at)REALM would be used. This would mean that
more complex cross-realm could also be handled by creating users with
user(at)REALM and then just roles when a given user exists in multiple
realms.
I understand that we're in beta now but both of these are isolated and
rather small changes, I believe. Also, Magnus has indicated that he'd
be willing to adjust his patch accordingly if this is agreed to
(please correct me if I'm wrong here :).
Thanks,
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Hiroshi Saito | 2007-11-01 14:46:11 | Calculation of a shared memory |
| Previous Message | Jeff Amiel | 2007-11-01 14:01:55 | Re: AutoVacuum Behaviour Question |