* Magnus Hagander (mha@sollentuna.net) wrote:
> The *REALM* is not checked, however. This can cause problems if you have
> a multi-realm system (where the realms already trust each other, because
> the KDC has to give out the service ticket) where you have the same
> username existing in multiple realms representing different users.
This brings up the issue again that it'd be nice to be able to have what
amounts to a '.k5login' in PostgreSQL somehow. Ideally, this would be
something an idividual user could set up but at good first step would be
to have something along the lines of pg_ident.conf for Kerberos
connections where the admin could implement a mapping.
We should probably also have a configurable option to check the realm or
to not check the realm. I'd like to look into doing this for 8.2 but,
as usual, I'm not sure I'll have time. Anyone else looking into this?
Thanks,
Stephen
