-
+
Client Authentication
krb_realm
- Overrides the parameter, setting which realm
- to verify the authenticated user principal against.
-
-
-
-
-
- krb_server_hostname
-
- Overrides the parameter, setting which
- hostname will be used for the server principal when using Kerberos.
+ Sets the realm to match user principal names against. If this parameter
+ is not set, the realm of the user will be ignored.
krb_realm
- Overrides the parameter, setting which realm
- to verify the authenticated user principal against.
+ Sets the realm to match user principal names against. If this parameter
+ is not set, the realm of the user will be ignored.
pgusername@realm. By default, the realm of the client is
not checked by
PostgreSQL. If you have cross-realm authentication enabled and need to verify the realm, use the
- parameter.
+ krb_realm parameter in pg_hba.conf.
database access over the web, no extra passwords required.
+ The following configuration options are supported for
Kerberos:
+
+
+ map
+
+ Allows for mapping between system and database usernames. See
+ for details.
+
+
+
+
+
+ include_realm
+
+ Include the realm name from the authenticated user principal. This is useful
+ in combination with Username maps (See
+ for details), especially with regular expressions, to map users from
+ multiple realms.
+
+
+
+
+
+ krb_realm
+
+ Sets the realm to match user principal names against. If this parameter
+ is not set, the realm of the user will be ignored.
+
+
+
+
+
+ krb_server_hostname
+
+ Sets the host name part of the service principal.
+ This, combined with krb_srvname, is used to generate
+ the complete service principal, that is
+ krb_srvname/krb_server_hostname@REALM.
+ If not set, the default is the server host name.
+
+
+
+
+
*
*
* IDENTIFICATION
- * $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.177 2009/01/07 13:09:21 mha Exp $
+ * $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.178 2009/01/09 10:13:18 mha Exp $
*
*-------------------------------------------------------------------------
*/
char *pg_krb_server_keyfile;
char *pg_krb_srvnam;
bool pg_krb_caseins_users;
-char *pg_krb_server_hostname = NULL;
-char *pg_krb_realm = NULL;
/*----------------------------------------------------------------
* If no hostname was specified, pg_krb_server_hostname is already NULL.
* If it's set to blank, force it to NULL.
*/
- if (port->hba->krb_server_hostname)
- khostname = port->hba->krb_server_hostname;
- else
- khostname = pg_krb_server_hostname;
+ khostname = port->hba->krb_server_hostname;
if (khostname && khostname[0] == '\0')
khostname = NULL;
krb5_ticket *ticket;
char *kusername;
char *cp;
- char *realmmatch;
if (get_role_line(port->user_name) == NULL)
return STATUS_ERROR;
return STATUS_ERROR;
}
- if (port->hba->krb_realm)
- realmmatch = port->hba->krb_realm;
- else
- realmmatch = pg_krb_realm;
-
cp = strchr(kusername, '@');
if (cp)
{
*cp = '\0';
cp++;
- if (realmmatch != NULL && strlen(realmmatch))
+ if (port->hba->krb_realm != NULL && strlen(port->hba->krb_realm))
{
/* Match realm against configured */
if (pg_krb_caseins_users)
- ret = pg_strcasecmp(realmmatch, cp);
+ ret = pg_strcasecmp(port->hba->krb_realm, cp);
else
- ret = strcmp(realmmatch, cp);
+ ret = strcmp(port->hba->krb_realm, cp);
if (ret)
{
elog(DEBUG2,
"krb5 realm (%s) and configured realm (%s) don't match",
- cp, realmmatch);
+ cp, port->hba->krb_realm);
krb5_free_ticket(pg_krb5_context, ticket);
krb5_auth_con_free(pg_krb5_context, auth_context);
}
}
}
- else if (realmmatch && strlen(realmmatch))
+ else if (port->hba->krb_realm&& strlen(port->hba->krb_realm))
{
elog(DEBUG2,
"krb5 did not return realm but realm matching was requested");
int ret;
StringInfoData buf;
gss_buffer_desc gbuf;
- char *realmmatch;
/*
* GSS auth is not supported for protocol versions before 3, because it
gettext_noop("retrieving GSS user name failed"),
maj_stat, min_stat);
- if (port->hba->krb_realm)
- realmmatch = port->hba->krb_realm;
- else
- realmmatch = pg_krb_realm;
-
/*
* Split the username at the realm separator
*/
*cp = '\0';
cp++;
- if (realmmatch != NULL && strlen(realmmatch))
+ if (port->hba->krb_realm != NULL && strlen(port->hba->krb_realm))
{
/*
* Match the realm part of the name first
*/
if (pg_krb_caseins_users)
- ret = pg_strcasecmp(realmmatch, cp);
+ ret = pg_strcasecmp(port->hba->krb_realm, cp);
else
- ret = strcmp(realmmatch, cp);
+ ret = strcmp(port->hba->krb_realm, cp);
if (ret)
{
/* GSS realm does not match */
elog(DEBUG2,
"GSSAPI realm (%s) and configured realm (%s) don't match",
- cp, realmmatch);
+ cp, port->hba->krb_realm);
gss_release_buffer(&lmin_s, &gbuf);
return STATUS_ERROR;
}
}
}
- else if (realmmatch && strlen(realmmatch))
+ else if (port->hba->krb_realm && strlen(port->hba->krb_realm))
{
elog(DEBUG2,
"GSSAPI did not return realm but realm matching was requested");
SID_NAME_USE accountnameuse;
HMODULE secur32;
QUERY_SECURITY_CONTEXT_TOKEN_FN _QuerySecurityContextToken;
- char *realmmatch;
/*
* SSPI auth is not supported for protocol versions before 3, because it
* Compare realm/domain if requested. In SSPI, always compare case
* insensitive.
*/
- if (port->hba->krb_realm)
- realmmatch = port->hba->krb_realm;
- else
- realmmatch = pg_krb_realm;
-
- if (realmmatch && strlen(realmmatch))
+ if (port->hba->krb_realm && strlen(port->hba->krb_realm))
{
- if (pg_strcasecmp(realmmatch, domainname))
+ if (pg_strcasecmp(port->hba->krb_realm, domainname))
{
elog(DEBUG2,
"SSPI domain (%s) and configured domain (%s) don't match",
- domainname, realmmatch);
+ domainname, port->hba->krb_realm);
return STATUS_ERROR;
}
* Written by Peter Eisentraut
. *
* IDENTIFICATION
- * $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.491 2009/01/07 22:40:49 tgl Exp $
+ * $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.492 2009/01/09 10:13:18 mha Exp $
*
*--------------------------------------------------------------------
*/
"$libdir", NULL, NULL
},
- {
- {"krb_realm", PGC_SIGHUP, CONN_AUTH_SECURITY,
- gettext_noop("Sets realm to match Kerberos and GSSAPI users against."),
- NULL,
- GUC_SUPERUSER_ONLY
- },
- &pg_krb_realm,
- NULL, NULL, NULL
- },
-
{
{"krb_server_keyfile", PGC_SIGHUP, CONN_AUTH_SECURITY,
gettext_noop("Sets the location of the Kerberos server key file."),
PG_KRB_SRVNAM, NULL, NULL
},
- {
- {"krb_server_hostname", PGC_SIGHUP, CONN_AUTH_SECURITY,
- gettext_noop("Sets the hostname of the Kerberos server."),
- NULL
- },
- &pg_krb_server_hostname,
- NULL, NULL, NULL
- },
-
{
{"bonjour_name", PGC_POSTMASTER, CONN_AUTH_SETTINGS,
gettext_noop("Sets the Bonjour broadcast service name."),
projects / postgresql.git / commitdiff