Participants
Magnus Hagander
Magnus Hagander
Attachments
Download Latest Patchset
+688-621
Show all attachments
Thread Outline
#1Magnus HaganderMagnus Hagander
Sep 30, 2008
#2Magnus HaganderMagnus Haganderto Magnus Hagander (#1)
Oct 11, 2008
#3Magnus HaganderMagnus Haganderto Magnus Hagander (#1)
Oct 23, 2008

pg_hba options parsing

Started by Magnus Haganderover 17 years ago3 messageshackers
Jump to latest
#1Magnus Hagander
Magnus Hagander
magnus@hagander.net

This patch changes the options field of pg_hba.conf to take name/value
pairs instead of a fixed string. This makes it a lot nicer to deal with
auth methods that need more than one parameter, such as LDAP.

While at it, it also adds map support to kerberos, gssapi and sspi and
not just ident - basically all methods where the username comes from an
outside source (lmk if I missed one).

Also in passing, changes the methods in auth.c to deal with "unsupported
auth method on this platform" errors the same way for all authentication
methods.

I intend to build on this patch to support setting some
Kerberos/GSSAPI/SSPI parameters on a per-connection base, but wanted to
get the basics in first.

Obviously, documentation still pending. I'm working on that in parallel.

So, comments? Both in general, and specifically on if we need to do
backwards compatible parsing of LDAP options (doing it of all the other
options would be trivial, but LDAP would be harder)

//Magnus

Attachments:

hba_format.patchtext/x-diff; name=hba_format.patchDownload+404-388
#2Magnus Hagander
Magnus Hagander
magnus@hagander.net
In reply to: Magnus Hagander (#1)
Re: pg_hba options parsing

Magnus Hagander wrote:

This patch changes the options field of pg_hba.conf to take name/value
pairs instead of a fixed string. This makes it a lot nicer to deal with
auth methods that need more than one parameter, such as LDAP.

While at it, it also adds map support to kerberos, gssapi and sspi and
not just ident - basically all methods where the username comes from an
outside source (lmk if I missed one).

Also in passing, changes the methods in auth.c to deal with "unsupported
auth method on this platform" errors the same way for all authentication
methods.

I intend to build on this patch to support setting some
Kerberos/GSSAPI/SSPI parameters on a per-connection base, but wanted to
get the basics in first.

Obviously, documentation still pending. I'm working on that in parallel.

So, comments? Both in general, and specifically on if we need to do
backwards compatible parsing of LDAP options (doing it of all the other
options would be trivial, but LDAP would be harder)

Updated version of this patch, now with doc changes.

//Magnus

Attachments:

hba_options.patchtext/x-diff; name=hba_options.patchDownload+688-621
#3Magnus Hagander
Magnus Hagander
magnus@hagander.net
In reply to: Magnus Hagander (#1)
Re: pg_hba options parsing

Magnus Hagander wrote:

This patch changes the options field of pg_hba.conf to take name/value
pairs instead of a fixed string. This makes it a lot nicer to deal with
auth methods that need more than one parameter, such as LDAP.

While at it, it also adds map support to kerberos, gssapi and sspi and
not just ident - basically all methods where the username comes from an
outside source (lmk if I missed one).

Also in passing, changes the methods in auth.c to deal with "unsupported
auth method on this platform" errors the same way for all authentication
methods.

Applied with suggested changes.

//Magnus

← Back to Topics