From: | "Magnus Hagander" <mha(at)sollentuna(dot)net> |
---|---|
To: | "Stephen Frost" <sfrost(at)snowman(dot)net> |
Cc: | "Mohan Anon" <mohan(dot)anon(at)gmail(dot)com>, <pgsql-hackers(at)postgresql(dot)org>, <pgsql-admin(at)postgresql(dot)org> |
Subject: | Re: [HACKERS] Postgres 8.1.x and MIT Kerberos 5 |
Date: | 2006-02-05 15:57:08 |
Message-ID: | 6BCB9D8A16AC4241919521715F4D8BCE92EA40@algol.sollentuna.se |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-admin pgsql-hackers |
> > The *REALM* is not checked, however. This can cause problems if you
> > have a multi-realm system (where the realms already trust
> each other,
> > because the KDC has to give out the service ticket) where
> you have the
> > same username existing in multiple realms representing
> different users.
>
> This brings up the issue again that it'd be nice to be able
> to have what amounts to a '.k5login' in PostgreSQL somehow.
> Ideally, this would be something an idividual user could set
> up but at good first step would be to have something along
> the lines of pg_ident.conf for Kerberos connections where the
> admin could implement a mapping.
>
> We should probably also have a configurable option to check
> the realm or to not check the realm. I'd like to look into
> doing this for 8.2 but, as usual, I'm not sure I'll have
> time. Anyone else looking into this?
They're both on my personal TODO (not .k5login, but a
pg_ident-kind-of-mapping), but with the same disclaimer as you - I don't
know if I'll have enough time.
//Magnus
From | Date | Subject | |
---|---|---|---|
Next Message | lrotger | 2006-02-06 10:05:05 | Actual expression of a constraint |
Previous Message | Stephen Frost | 2006-02-05 15:51:56 | Re: [HACKERS] Postgres 8.1.x and MIT Kerberos 5 |
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2006-02-05 16:02:47 | Re: drop if exists remainder |
Previous Message | Stephen Frost | 2006-02-05 15:51:56 | Re: [HACKERS] Postgres 8.1.x and MIT Kerberos 5 |