From: | Brian Crowell <brian(at)fluggo(dot)com> |
---|---|
To: | Stephen Frost <sfrost(at)snowman(dot)net> |
Cc: | "pgsql-general(at)postgresql(dot)org >> PG-General Mailing List" <pgsql-general(at)postgresql(dot)org> |
Subject: | Re: GSSAPI/SSPI and mismatched user names |
Date: | 2014-02-24 18:59:37 |
Message-ID: | CAAQkdDpY_UH0TA0E60AA80x6zaBzwb7h20OT91LvwL5FpBe4Lg@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
On Mon, Feb 24, 2014 at 12:55 PM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> * Brian Crowell (brian(at)fluggo(dot)com) wrote:
>> https://github.com/npgsql/Npgsql/issues/162#issuecomment-35916650
>
> Reading through this- can't you use GSSAPI to get the Kerberos princ
> found the ticket which is constructed? I'm pretty sure the MIT
> libraries support that, at least...
I expected I might be able to do that on Linux, but right now I'm
trying to work out the Windows non-domain case.
> Just as with .k5login, they do *not* have to match, but if they don't
> then there needs to be a mapping provided from the Kerberos princ to the
> PG username. Check out pg_ident and note that it even supports
> regexp's, so you may be able to construct a mapping such that the princ
> is mixed case and the login works- provided you send the lowercase'd
> username as the PG user to log in as.
Unfortunately, in this case I don't even have a wrong-cased username
to start with. I have the user name of the logged-in non-domain user,
which is not the user name of the domain credentials I'm sending
across the network.
>> I think Postgres should either not require or ignore the user name in the
>> startup packet for these two login types. What do you think?
>
> We need the username to figure out which auth method we're using...
Oh dear.
--Brian
From | Date | Subject | |
---|---|---|---|
Next Message | Stephen Frost | 2014-02-24 19:06:01 | Re: GSSAPI/SSPI and mismatched user names |
Previous Message | Stephen Frost | 2014-02-24 18:55:19 | Re: GSSAPI/SSPI and mismatched user names |