| From: | Enrico Scholz <enrico(dot)scholz(at)informatik(dot)tu-chemnitz(dot)de> |
|---|---|
| To: | pgsql-admin(at)postgresql(dot)org |
| Subject: | Truncation of krb5 principals |
| Date: | 2004-06-15 16:22:22 |
| Message-ID: | 87n034dc5d.fsf@kosh.ultra.csn.tu-chemnitz.de |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
Hello,
I am using krb5 authorization and have a problem with the mangling of krb5
principal names. E.g. on authentication, the principals 'foo/www(at)XYZ(dot)ORG'
and 'foo/mail(at)ABC(dot)COM' will be both rewritten to the local username 'foo',
which is completely unwanted and might be a security problem.
In the archives, I read that this happens because '/' and '@' are
forbidden characters for usernames. An authname-to-username mapping
table was a proposed solutions, but although the discussion[1] was some
time ago in 2002, I can not find such a thing in recent postgresql
7.4.2.
When the authname -> username table would be too complicated to
implement, would it be possible to use something like OpenLDAP's
'sasl-regexp' feature? E.g. in postgresql.conf it could be written
| sasl-regexp "([^/]*)/www(at)XYZ(dot)ORG" "$1_www_XYZ_ORG"
| sasl-regexp "([^/]*)/mail(at)ABC(dot)COM" "$1_mail_ABC_COM"
which maps the principals above into valid SQL usernames.
Enrico
Footnotes:
[1] http://groups.google.com/groups?&selm=8149.1021471997%40sss.pgh.pa.us
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Lee Wu | 2004-06-15 17:10:08 | Re: table not shown |
| Previous Message | Duane Lee - EGOVX | 2004-06-15 16:22:16 | Re: table not shown |