> > The *REALM* is not checked, however. This can cause problems if you
> > have a multi-realm system (where the realms already trust
> each other,
> > because the KDC has to give out the service ticket) where
> you have the
> > same username existing in multiple realms representing
> different users.
>
> This brings up the issue again that it'd be nice to be able
> to have what amounts to a '.k5login' in PostgreSQL somehow.
> Ideally, this would be something an idividual user could set
> up but at good first step would be to have something along
> the lines of pg_ident.conf for Kerberos connections where the
> admin could implement a mapping.
>
> We should probably also have a configurable option to check
> the realm or to not check the realm. I'd like to look into
> doing this for 8.2 but, as usual, I'm not sure I'll have
> time. Anyone else looking into this?
They're both on my personal TODO (not .k5login, but a
pg_ident-kind-of-mapping), but with the same disclaimer as you - I don't
know if I'll have enough time.
//Magnus