On Mon, Feb 24, 2014 at 7:56 PM, Stephen Frost <sfrost@snowman.net> wrote:
> * Brian Crowell (brian@fluggo.com) wrote:
> > Right now, I'm seeing log entries like this:
> >
> > 2014-02-24 11:30:40 CST LOG: provided user name (Brian) and
> > authenticated user name (BCrowell@REALM.COM) do not match
> >
> > But the Kerberos ticket is perfectly valid, and matches a Postgres
> > user. In this case, the program attempting to log in is incapable of
> > determining the correct Postgres user name to send (see Npgsql bug for
> > the dirty details), so why not just accept the Kerberos principal
> > name?
>
> This is what the mapping logic in pg_ident was written to address...
>
There is also a parameter called include_realm, specifically for Kerberos,
which will remove the @REALM.COM part. But I believe it does that by
default.
Specifically see
http://www.postgresql.org/docs/9.3/static/auth-methods.html#GSSAPI-AUTH,
which deals with both those.
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/