Re: When will you be adding ISC_REQ_MUTUAL_AUTH to the ODBC dwSSPIFlags variable?

Поиск
Список
Период
Сортировка
От Ramesh Reddy
Тема Re: When will you be adding ISC_REQ_MUTUAL_AUTH to the ODBC dwSSPIFlags variable?
Дата
Msg-id 2137224063.5727693.1437760588699.JavaMail.zimbra@redhat.com
обсуждение исходный текст
Ответ на When will you be adding ISC_REQ_MUTUAL_AUTH to the ODBC dwSSPIFlags variable?  (dsteigne@redhat.com)
Ответы Re: When will you be adding ISC_REQ_MUTUAL_AUTH to the ODBC dwSSPIFlags variable?  (Heikki Linnakangas <hlinnaka@iki.fi>)
Список pgsql-odbc
Дерево обсуждения
Thanks you Lindsay.

The root of the question after delving little bit more, we did not find any properties to enable "Mutual Authentication" when using GSSAPI with Windows ODBC driver. Can this be added to the code?

Thanks

Ramesh..

I have pg-odbc working with Windows sspi authentication.  There is a guide online [1] that describes the key element: you need to run the postgres service as a domain user that you've registered as a security principal for that machine. If you need a service name other than POSTGRES there is a GUC setting for krbsrvname; set that and a corresponding SPN.

The only weird behaviour I've noticed is that looking at security events in Windows event manager, after some time the client kerberos authentication reverts to NTLMv1. I suspect that might be a problem between the pg domain user and AD though.

Also, connections never seem to pool but there's probably a good security reason for that.

[1] https://wiki.postgresql.org/wiki/Configuring_for_single_sign-on_using_SSPI_on_Windows

On 22 Jul 2015 1:12 am, "Ramesh Reddy" <rareddy@redhat.com> wrote:
Has any one have working solution that has kerberos authentication working on windows based pg-odbc driver? We believe the below flag is required for it to work correctly, can anybody weigh in options we have in terms of setting this flag with out code modification. We are also looking to build locally to verify the solution.

Thanks

Ramesh..

----- Original Message -----
> We need mutual authentication via ODBC, looking into the psqlODBC driver to
> find where the Kerberos connection was getting created.  Here in sspisvcs.c
> the PerformKerberosEtcClientHandshake contains the set of SSPI flags being
> set on the request (held in the dwSSPIFlags variable).
> This set is missing the flag required for mutual authentication
> (ISC_REQ_MUTUAL_AUTH).  Can this be added to your ODBC driver?
>
> --
> Regards,
> Debbie Steigner
> Red Hat Global Support Services
> Principal Technical Support Engineer
>
>
>
> --
> Sent via pgsql-odbc mailing list (pgsql-odbc@postgresql.org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-odbc
>


--
Sent via pgsql-odbc mailing list (pgsql-odbc@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-odbc

В списке pgsql-odbc по дате отправления:

Предыдущее
От: Jean-Marc Guazzo
Дата:
Сообщение: Re: Materialized Views
Следующее
От: Heikki Linnakangas
Дата:
Сообщение: Re: When will you be adding ISC_REQ_MUTUAL_AUTH to the ODBC dwSSPIFlags variable?