Participants
Stephen Frost
Stephen Frost
Magnus Hagander
Magnus Hagander
Bruce Momjian
Bruce Momjian
Attachments

No attachments in this thread

Thread Outline
#1Stephen FrostStephen Frost
Nov 01, 2007
#2Magnus HaganderMagnus Haganderto Stephen Frost (#1)
Nov 09, 2007
#3Bruce MomjianBruce Momjianto Magnus Hagander (#2)
Mar 17, 2008

krb_match_realm patch

Started by Stephen Frostabout 18 years ago3 messages
#1Stephen Frost
Stephen Frost
sfrost@snowman.net

Greetings,

Regarding Magnus' patch for matching against the Kerberos realm- I'd
see it as much more useful as a multi-value configuration option.
Perhaps 'krb_alt_realms' or 'krb_realms'. This would look like:

Match against one, and only one, realm (does not have to be the realm
the server is in, that's dealt with seperately):
krb_realms = 'ABC.COM'

Don't worry about the realm ever:
krb_realms = '' # default, to match current krb5

Match against multiple realms:
krb_realms = 'ABC.COM, DEF.ABC.COM'

Note that using multiple realms implies either no overlap, or that
overlap means the same person.

Additionally, I feel we should have an explicit 'krb_strip_realm'
boolean option to enable this behaviour. If 'krb_strip_realm' is
'false' then the full user@REALM would be used. This would mean that
more complex cross-realm could also be handled by creating users with
user@REALM and then just roles when a given user exists in multiple
realms.

I understand that we're in beta now but both of these are isolated and
rather small changes, I believe. Also, Magnus has indicated that he'd
be willing to adjust his patch accordingly if this is agreed to
(please correct me if I'm wrong here :).

Thanks,

Stephen

#2Magnus Hagander
Magnus Hagander
magnus@hagander.net
In reply to: Stephen Frost (#1)
Re: krb_match_realm patch

Stephen Frost wrote:

Greetings,

Regarding Magnus' patch for matching against the Kerberos realm- I'd
see it as much more useful as a multi-value configuration option.
Perhaps 'krb_alt_realms' or 'krb_realms'. This would look like:

Match against one, and only one, realm (does not have to be the realm
the server is in, that's dealt with seperately):
krb_realms = 'ABC.COM'

Don't worry about the realm ever:
krb_realms = '' # default, to match current krb5

Match against multiple realms:
krb_realms = 'ABC.COM, DEF.ABC.COM'

Note that using multiple realms implies either no overlap, or that
overlap means the same person.

Additionally, I feel we should have an explicit 'krb_strip_realm'
boolean option to enable this behaviour. If 'krb_strip_realm' is
'false' then the full user@REALM would be used. This would mean that
more complex cross-realm could also be handled by creating users with
user@REALM and then just roles when a given user exists in multiple
realms.

I understand that we're in beta now but both of these are isolated and
rather small changes, I believe. Also, Magnus has indicated that he'd
be willing to adjust his patch accordingly if this is agreed to
(please correct me if I'm wrong here :).

I've committed the patch as it was without this, because that's still
better than what we have now.

Just for the record, I've indicated that I'm willing to add the
multi-realm match part of that, but I'm not sure we want to dig into the
"krb_strip_realm" stuff this late in the cycle. At least unless someone
can confirm that we won't have issues *elswhere* from passing in very
long usernames in what I believe is not entirely specified formats.

I will try to work on the multi-realm stuff next week, unless someone
wants to beat me to it...

//Magnus

#3Bruce Momjian
Bruce Momjian
bruce@momjian.us
In reply to: Magnus Hagander (#2)
Re: krb_match_realm patch

Added to TODO:

o Allow Kerberos to disable stripping of realms so we can
check the username@realm against multiple realms

http://archives.postgresql.org/pgsql-hackers/2007-11/msg00009.php

---------------------------------------------------------------------------

Magnus Hagander wrote:

Stephen Frost wrote:

Greetings,

Regarding Magnus' patch for matching against the Kerberos realm- I'd
see it as much more useful as a multi-value configuration option.
Perhaps 'krb_alt_realms' or 'krb_realms'. This would look like:

Match against one, and only one, realm (does not have to be the realm
the server is in, that's dealt with seperately):
krb_realms = 'ABC.COM'

Don't worry about the realm ever:
krb_realms = '' # default, to match current krb5

Match against multiple realms:
krb_realms = 'ABC.COM, DEF.ABC.COM'

Note that using multiple realms implies either no overlap, or that
overlap means the same person.

Additionally, I feel we should have an explicit 'krb_strip_realm'
boolean option to enable this behaviour. If 'krb_strip_realm' is
'false' then the full user@REALM would be used. This would mean that
more complex cross-realm could also be handled by creating users with
user@REALM and then just roles when a given user exists in multiple
realms.

I understand that we're in beta now but both of these are isolated and
rather small changes, I believe. Also, Magnus has indicated that he'd
be willing to adjust his patch accordingly if this is agreed to
(please correct me if I'm wrong here :).

I've committed the patch as it was without this, because that's still
better than what we have now.

Just for the record, I've indicated that I'm willing to add the
multi-realm match part of that, but I'm not sure we want to dig into the
"krb_strip_realm" stuff this late in the cycle. At least unless someone
can confirm that we won't have issues *elswhere* from passing in very
long usernames in what I believe is not entirely specified formats.

I will try to work on the multi-realm stuff next week, unless someone
wants to beat me to it...

//Magnus

---------------------------(end of broadcast)---------------------------
TIP 4: Have you searched our list archives?

http://archives.postgresql.org

--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://postgres.enterprisedb.com

+ If your life is a hard drive, Christ can be your backup. +

← Back to Topics