Re: pg16 && GSSAPI && Heimdal/Macos
От | Nico Williams |
---|---|
Тема | Re: pg16 && GSSAPI && Heimdal/Macos |
Дата | |
Msg-id | Z/S4SP4LccxOpAMo@ubby обсуждение исходный текст |
Ответ на | pg16 && GSSAPI && Heimdal/Macos (kovert@omniscient.com) |
Список | pgsql-hackers |
On Wed, Dec 06, 2023 at 06:54:22PM -0500, kovert@omniscient.com wrote: > I wanted to follow up on the decision to blow off Apple's built-in > GSSAPI. Years back, for reasons I never found, Apple switched from MIT > to Heimdal and have been maintaining their own version of it. I'm not > clear how well they maintain it but they have enhanced it. Apple switched because Apple hired then developers of Heimdal, and they liked it better than MIT Kerberos. I have worked on both and know them intimately well and I too prefer Heimdal, mainly because it has a very nice ASN.1 compiler. Apple does enhance their fork of Heimdal, and they publish their changes with Darwin drops. But they do not contribute back to Heimdal. > One of the things that Apple put it in was a different centralized > credentials cache system. (named of the form "API:uuid"). This isn't > in Heimdal nor is it in MIT, so typical kerberos tickets issued by the Well, MIT and Heimdal support the KCM: cache type, which is an IPC interface to the system credentials cache daemon, which is basically what the API: cache type is, and they both support the CCAPI anyways, which is also what the API: cache really is (basically it's a shared object exporting an API for credentials caches). So they can both use the OS X API: cache. Well, I think so -- I don't use OS X so I don't know how well the OS X API: cache works with Heimdal or MIT Kerberos, but I believe it should. Nico --
В списке pgsql-hackers по дате отправления: