| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | Brian Crowell <brian(at)fluggo(dot)com> |
| Cc: | "pgsql-general(at)postgresql(dot)org >> PG-General Mailing List" <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: GSSAPI/SSPI and mismatched user names |
| Date: | 2014-02-24 18:55:19 |
| Message-ID: | 20140224185519.GM2921@tamriel.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
* Brian Crowell (brian(at)fluggo(dot)com) wrote:
> https://github.com/npgsql/Npgsql/issues/162#issuecomment-35916650
Reading through this- can't you use GSSAPI to get the Kerberos princ
found the ticket which is constructed? I'm pretty sure the MIT
libraries support that, at least...
> The short version is that Postgres requires two user names when using
> GSSAPI/SSPI: one from the startup packet, and one from the Kerberos ticket,
> and if these don't match exactly, the login fails. It's generally
> impossible to determine the correct user name to send in the startup packet.
Just as with .k5login, they do *not* have to match, but if they don't
then there needs to be a mapping provided from the Kerberos princ to the
PG username. Check out pg_ident and note that it even supports
regexp's, so you may be able to construct a mapping such that the princ
is mixed case and the login works- provided you send the lowercase'd
username as the PG user to log in as.
> I think Postgres should either not require or ignore the user name in the
> startup packet for these two login types. What do you think?
We need the username to figure out which auth method we're using...
Thanks,
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Brian Crowell | 2014-02-24 18:59:37 | Re: GSSAPI/SSPI and mismatched user names |
| Previous Message | Brian Crowell | 2014-02-24 18:34:04 | GSSAPI/SSPI and mismatched user names |