| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | Andres Freund <andres(at)2ndquadrant(dot)com> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Bruce Momjian <bruce(at)momjian(dot)us>, Jerry Sievers <gsievers19(at)comcast(dot)net>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: HBA files w/include support? |
| Date: | 2014-02-14 16:10:10 |
| Message-ID: | 20140214161010.GV2921@tamriel.snowman.net |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
* Andres Freund (andres(at)2ndquadrant(dot)com) wrote:
> On 2014-02-14 11:03:19 -0500, Stephen Frost wrote:
> > Also, all of the above ignores the pg_ident side of the house, which is
> > even worse as you need an entry for every user, period, if you're using
> > client-side SSL certificates or Kerberos/GSSAPI-based authentication
> > with full princ names.
>
> Well, there's regexes for mappings, that can often enough take care of
> most of that?
In some cases, yes, but certainly not all. Apologies for over-stating
the case, but I came from an environment where the Kerberos princs were
'm######', while the database users were all first-initial || last-name.
Also, the CN in an SSL certificate isn't likely to be what you want for
a username either, and a regexp isn't likely to help that either.
Thanks,
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2014-02-14 16:10:48 | Re: HBA files w/include support? |
| Previous Message | Andres Freund | 2014-02-14 16:06:55 | Re: HBA files w/include support? |