On Mon, Feb 24, 2014 at 1:58 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> I wonder whether there would be any value in an option for SSPI (and
> maybe other auth methods) to say "after authentication is complete,
> substitute the authenticated principal name for the database user
> name" (possibly after realm-stripping, case-folding, etc).
I humbly resubmit my ticket-in-the-startup-packet suggestion, which
I'd hope would be easier, especially since any program not supplying
it would fall back to the standard challenge auth mechanism.
Like:
1. client -> server startup packet + GSSAPI="here's my ticket"
2. server -> client AuthenticationGSSContinue
3. client -> server password packet
4. server -> client AuthenticationOK
But then I don't know what I'm talking about really :P
(goes to read the protocol specs)
--Brian