On 2019-Dec-27, Stephen Frost wrote:
> Maybe part of the confusion here is that there's two different things- a
> credential cache, and then a credential *handle*. Calling
> gss_acquire_cred() will, if a credential *cache* exists, return to us a
> credential *handle* (in the form of conn->gcred) that we then pass to
> gss_init_sec_context().
Hmm, ok, yeah I certainly didn't understand that -- I was thinking that
the call was creating the credential cache itself, not a *handle* to
access it (I suppose that terminology must be clear to somebody familiar
with GSS).
> Hopefully that helps. I'm certainly happy to work with you to reword
> the comment, of course, but let's make sure there's agreement and
> understanding of what the code does first.
How about this?
* If GSSAPI is enabled and we can reach a credential cache,
* set up a handle for it; if it's operating, just send a
* GSS startup message, instead of the SSL negotiation and
* regular startup message below.
--
Álvaro Herrera https://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
