Re: BUG #9337: SSPI/GSSAPI with mismatched user names - Mailing list pgsql-bugs
From | Stephen Frost |
---|---|
Subject | Re: BUG #9337: SSPI/GSSAPI with mismatched user names |
Date | |
Msg-id | 20140224194710.GR2921@tamriel.snowman.net Whole thread Raw |
In response to | Re: BUG #9337: SSPI/GSSAPI with mismatched user names (Brian Crowell <brian@fluggo.com>) |
Responses |
Re: BUG #9337: SSPI/GSSAPI with mismatched user names
|
List | pgsql-bugs |
* Brian Crowell (brian@fluggo.com) wrote: > > Also, is the PG user really "BCrowell@REALM.COM", or is it actually > > 'bcrowell', in which case you need a mapping for that (unless you tell > > PG to just strip the realm off, but I generally recommend against such > > since you can end up with cross-realm issues if you ever define a trust > > relationship to another realm with different users who might have the > > same princs as your local users). >=20 > The PG user is "BCrowell@REALM.COM". include_realm is on because we > have a forest, and I don't want any crossed wires between domains. Ah, makes sense. Again, you could have different usernames in PG if you wanted to keep things simpler, by using pg_ident.conf, but if useing the full princ works for you then that's certainly fine too. > Really, this is all what I want to happen, and everything about it > works. The only problem is that PG wants a user name that, in a few > cases, I just don't have. It really should be possible for you to get it. I'm in flight at the moment and so the interwebs are a bit lagged or I'd go figure out what the right GSSAPI calls are, though I can understand if you'd rather just be able to ask libpq to handle that or maybe pass back what the princ is, so you don't have to deal with the Kerberos calls directly. > I'm starting to see that this appears very differently to Postgres > people. I'm coming here from SQL Server, where in our company we've > now got it set up that each user's SQL Server login _is_ their domain > login. Not just named the same--SQL Server understands the domain, and > each user is coming in as their Windows identity. I'm familiar with SQL Server and how it works there and in a lot of ways it's very similar to what happens in PG, and it has similar options for doing mapping too, as I recall, and if you want to be able to have such a mapping then you have to have both the log-me-in-as username and the Kerberos princ. > However, to Postgres, Kerberos is not about identities at all, it's > just a fancy password mechanism. Really you just want to know a > Postgres user, and it's never been a problem for users to specify > that. I guess what I'm asking is if Kerberos can be used to specify my > Postgres username as well. This is overstating it, imv. The exact same issue happens if, for example, you want to ssh to a server- you have to provide the Unix username that you want to log into the system as, along with the Kerberos ticket. Those can then be different too, by using a .k5login file. If you'd like to complain about something in this regard, it would be that we don't have any way to link PG users in directly with LDAP in the way that AD does, where the group membership is doing through LDAP. That would certainly be accurate but would be quite a bit of work to allow ad we don't get many requests for such capability. Thanks, Stephen
pgsql-bugs by date: