| From: | "Magnus Hagander" <mha(at)sollentuna(dot)net> |
|---|---|
| To: | "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Case insensitive usernames |
| Date: | 2005-05-10 15:26:00 |
| Message-ID: | 6BCB9D8A16AC4241919521715F4D8BCE6C745E@algol.sollentuna.se |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
> > Which brings me back to thinking a GUC is the way to deal
> with that -
> > you'll definitly know what kind of KDC you have when you set up
> > Kerberos. But perhaps this GUC should be for "permit
> case-insensitive
> > kerberos principals" and not "case-insensitive usernames". And it
> > would just control the comparison between kerberos principal and
> > user-supplied username. The user-supplied username would still be
> > what's used in any access to the database, regardless of case.
>
> That would work for me as long as the default is
> case-sensitive; the other seems too likely to be a security
> hazard. (And it had better be documented that way, too: "DO
> NOT turn this on unless you are certain you are using a
> case-insensitive KDC.")
Fine with me - you'll need to tweak the default principal name anyway to
work with the windwos KDC, so you're giong there anyawy. It's just a
matter of documenting it.
> What will we call the GUC? kerberos_case_insensitive_principals
> seems a bit, um, verbose.
All other kerberos parameters are krb_ and not kerberos_, so that saves
a bit :) How about just "krb_case_insensitive"? Or "krb_case_ins_princ"?
//Magnus
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Rod Taylor | 2005-05-10 15:34:27 | Hashagg planning bug (8.0.1) |
| Previous Message | Merlin Moncure | 2005-05-10 15:21:41 | Re: Views, views, views! (long) |