Kerberos patch in the queue
Hi!
I'd like to vote in favor of this patch:
http://candle.pha.pa.us/mhonarc/patches2/msg00025.html.
I know Tom said he didn't really like it, but I'd ask you to reconsider
that.
My use would be mainly for my integrate-with-active-directory project.
AD requires uppercase principal names, which maens POSTGRES instead of
postgres. If I could change this at runtime, that would certainly make
my life a *lot* easier. I'm sure it helps in several other cases as
well.
(I haven't looked at the actual patch, just at the end result of it)
//Magnus
"Magnus Hagander" <mha@sollentuna.net> writes:
I'd like to vote in favor of this patch:
http://candle.pha.pa.us/mhonarc/patches2/msg00025.html.
I know Tom said he didn't really like it, but I'd ask you to reconsider
that.
The patch is unacceptable as is because (a) it adds a libpq
configuration parameter that acts differently from all the other ones
(not supported in connect strings for instance) and (b) it adds no
documentation for that variable, nor for the server-side variable it
adds. Doing the libpq parameter in a more thorough fashion is just a
matter of programming-by-example (grep for CONNECT_TIMEOUT for an
example) but I for one don't know enough about Kerberos to document
the thing.
regards, tom lane
I'd like to vote in favor of this patch:
http://candle.pha.pa.us/mhonarc/patches2/msg00025.html.I know Tom said he didn't really like it, but I'd ask you to
reconsider
that.
The patch is unacceptable as is because (a) it adds a libpq
configuration parameter that acts differently from all the other ones
(not supported in connect strings for instance) and (b) it adds no
documentation for that variable, nor for the server-side variable it
adds. Doing the libpq parameter in a more thorough fashion is just a
matter of programming-by-example (grep for CONNECT_TIMEOUT for an
example) but I for one don't know enough about Kerberos to document
the thing.
Daniel asked about (a) - I'm not sure if he received an answer, I
couldn't find one at least.
(http://candle.pha.pa.us/mhonarc/patches2/msg00024.html has the question
and some more comments from him). And he offered to write up docs.
Daniel, still up for doing this? If not, I can try to update the patch
to address Toms concerns.
Tom, assuming we fix this, are you fine with the concept? The discussion
back then mentioned the "another way to fail the connection". I think
the gain far overweighs the pain, but it'd be nice to have that
confirmed before more work is committed.
//Magnus
Import Notes
Resolved by subject fallback
"Magnus Hagander" <mha@sollentuna.net> writes:
Tom, assuming we fix this, are you fine with the concept?
Mostly. Should the --with-krb-srvnam configure parameter go away?
Or is it now seen as establishing an installation default? (Either
way implies some documentation work.)
regards, tom lane
Tom, assuming we fix this, are you fine with the concept?
Mostly. Should the --with-krb-srvnam configure parameter go away?
Or is it now seen as establishing an installation default? (Either
way implies some documentation work.)
The original way kept it in there to establish an installation default.
I think that is a good idea (yes, it certainly has to be documented) to
keep it as such, and just allow it to be overridden (the same way you
can use --with-pgport to change the default port, but you can still
override it in postgresql.conf).
//Magnus
Import Notes
Resolved by subject fallback