Re: BUG #13782: gss auth with libpq does not include realm by default

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: jkew(at)tableau(dot)com
Cc: pgsql-bugs(at)postgresql(dot)org
Subject: Re: BUG #13782: gss auth with libpq does not include realm by default
Date: 2015-11-23 21:30:03
Message-ID: 20151123213002.GI3685@tamriel.snowman.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs

John,

* jkew(at)tableau(dot)com (jkew(at)tableau(dot)com) wrote:
> The following bug has been logged on the website:
>
> Bug reference: 13782
> Logged by: John Kew
> Email address: jkew(at)tableau(dot)com
> PostgreSQL version: 9.5beta1
> Operating system: Windows 7
> Description:
>
> Recently a change was made to set include_realm=1 by default. This is
> sensible.
>
> Clients and drivers using libpq, however, default to sending just the
> username w/o the realm, leading to a gss username error in these
> configurations.

That's not exactly correct. libpq does not determine the username to
send to the server based on the auth method chosen by the server. The
username is chosen based on what the OS tells libpq the local username
is.

> You can force psql and postgres-odbc to use a specific username which
> includes the realm; but it would be useful if libpq had the same default as
> the server and sent the current realm by default e.g: joe(at)realm(dot)com(dot)

Note that the username sent is the PG user to log in as. If libpq sent
this then there would have to exist a 'joe(at)realm(dot)com' user in the PG
database. That's certainly possible to do with PG, but, in my view at
least, it comes across a bit like having unix users named
'joe(at)realm(dot)com', which isn't typical.

> Seems like a minor thing; but it means you can share the same connection
> string configuration between users for when postgres is configured the
> recommended way.

The recommendation is to use include_realm=1, but that doesn't imply
that users in the database should be 'joe(at)realm(dot)com'- that's a
completely different consideration.

I would suggest you refer to pg_ident.conf and the mapping capabilities
available there to see how you can have a 'joe' unix/Windows user, a
'joe' PG user, and have include_realm=1 by having a mapping in
pg_ident.conf which allows the system-identified user of 'joe(at)realm(dot)com'
to connect as the PG user 'joe'.

Thanks!

Stephen

In response to

Browse pgsql-bugs by date

  From Date Subject
Next Message xelah-postgresql 2015-11-24 12:12:58 BUG #13783: 'create database test owner testowner' as 'postgres' leaves test.public owned by postgres
Previous Message jkew 2015-11-23 21:04:56 BUG #13782: gss auth with libpq does not include realm by default