Re: krb_match_realm patch
| От | Bruce Momjian |
|---|---|
| Тема | Re: krb_match_realm patch |
| Дата | |
| Msg-id | 200803171823.m2HIN3907293@momjian.us обсуждение исходный текст |
| Ответ на | Re: krb_match_realm patch (Magnus Hagander <magnus@hagander.net>) |
| Список | pgsql-hackers |
Added to TODO:
o Allow Kerberos to disable stripping of realms so we can check the username@realm against multiple
realms
http://archives.postgresql.org/pgsql-hackers/2007-11/msg00009.php
---------------------------------------------------------------------------
Magnus Hagander wrote:
> Stephen Frost wrote:
> > Greetings,
> >
> > Regarding Magnus' patch for matching against the Kerberos realm- I'd
> > see it as much more useful as a multi-value configuration option.
> > Perhaps 'krb_alt_realms' or 'krb_realms'. This would look like:
> >
> > Match against one, and only one, realm (does not have to be the realm
> > the server is in, that's dealt with seperately):
> > krb_realms = 'ABC.COM'
> >
> > Don't worry about the realm ever:
> > krb_realms = '' # default, to match current krb5
> >
> > Match against multiple realms:
> > krb_realms = 'ABC.COM, DEF.ABC.COM'
> >
> > Note that using multiple realms implies either no overlap, or that
> > overlap means the same person.
> >
> > Additionally, I feel we should have an explicit 'krb_strip_realm'
> > boolean option to enable this behaviour. If 'krb_strip_realm' is
> > 'false' then the full user@REALM would be used. This would mean that
> > more complex cross-realm could also be handled by creating users with
> > user@REALM and then just roles when a given user exists in multiple
> > realms.
> >
> > I understand that we're in beta now but both of these are isolated and
> > rather small changes, I believe. Also, Magnus has indicated that he'd
> > be willing to adjust his patch accordingly if this is agreed to
> > (please correct me if I'm wrong here :).
>
> I've committed the patch as it was without this, because that's still
> better than what we have now.
>
> Just for the record, I've indicated that I'm willing to add the
> multi-realm match part of that, but I'm not sure we want to dig into the
> "krb_strip_realm" stuff this late in the cycle. At least unless someone
> can confirm that we won't have issues *elswhere* from passing in very
> long usernames in what I believe is not entirely specified formats.
>
> I will try to work on the multi-realm stuff next week, unless someone
> wants to beat me to it...
>
> //Magnus
>
> ---------------------------(end of broadcast)---------------------------
> TIP 4: Have you searched our list archives?
>
> http://archives.postgresql.org
-- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB
http://postgres.enterprisedb.com
+ If your life is a hard drive, Christ can be your backup. +
В списке pgsql-hackers по дате отправления: