Re: SSPI authentication - patch - Mailing list pgsql-patches
From | Stephen Frost |
---|---|
Subject | Re: SSPI authentication - patch |
Date | |
Msg-id | 20070720130028.GT4887@tamriel.snowman.net Whole thread Raw |
In response to | Re: SSPI authentication - patch (Magnus Hagander <magnus@hagander.net>) |
Responses |
Re: SSPI authentication - patch
|
List | pgsql-patches |
* Magnus Hagander (magnus@hagander.net) wrote: > On Thu, Jul 19, 2007 at 06:22:57PM -0400, Stephen Frost wrote: > > My thinking would be to have the autoconf to disable it, but enable it > > by default. I don't feel particularly strongly about it though. > > Do you see a use-case where someone would disable it? I'll be happy to add > the switch if you do, it's not hard to do, but adding a switch just for the > sake of adding a switch is not something I lik e:-) Eh, I could contrive one but, as I said, I don't feel particularly strongly about it. How about we go w/o it for now and see if anyone asks for it. > > I understand that SSPI is case-insensitive, or folds to uppercase, or > > whatever, but this is *not* used only by the SSPI code. Please correct > > me if I'm wrong, but this will break existing krb-auth using client > > applications/setups that went with the previous default, no? I realize > > it's on Windows, but there are people out there with that > > configuration (yes, like me... :)... > > Ok, first to clearify the facts: > * SSPI is case-insensitive, case-preserving > * The problem is not from SSPI. It's Active Directory. If you use AD as the > KDC, you must use uppercase SPNs - regardless of SSPI. For example, it's > needed for anybody wanting to use the old krb5 auth in 8.x together with > Active Directory - like I do :-) Ah, thanks for clearing up where the problem arises from. > The change is there to because the majority of windows installs will > be using Active Directory, at least that's what I would expect. Certainly > not all, but most. It's a way of lowering the bar for the majority, at the > expense of the minority ;-) It's also at the expense of backwards compatibility. :/ People who are currently using the krb5 auth mechanism with AD are used to having to flip that or set the environment variable while people who have been using it with an MIT KDC may get suprised by it. > That said, I actually intended to submit that as a separate patch for > separate discussion. If people are against it, I'll be happy to drop that > part. My main concern is that it's a backward-incompatible change. I realize that it's likely going in the direction of the majority on Windows but it seems to make like it's not something we should just 'do'. That said, I don't see it as a problem for me since I've got a reasonably small user-base (10s, not 100s or 1000s) of Windows users and setting the environment variable shouldn't be an issue. > Again, it's not related to the library used, it's related to the KDC. And > we can't detect that, at least not early enough. That's true, but if we used upper-case with something NEW (SSPI) while keeping it the same for the OLD (KRB5, and I'd vote GSSAPI) then we're not breaking backwards compatibility while also catering to the masses. I guess I don't see too many people using SSPI w/ an MIT KDC, and it wasn't possible previously anyway. What do you think? Thanks! Stephen
Attachment
pgsql-patches by date: