Re: SSPI authentication - patch - Mailing list pgsql-patches
| From | Magnus Hagander |
|---|---|
| Subject | Re: SSPI authentication - patch |
| Date | |
| Msg-id | 46A0E045.7050207@hagander.net Whole thread Raw |
| In response to | Re: SSPI authentication - patch (Stephen Frost <sfrost@snowman.net>) |
| Responses |
Re: SSPI authentication - patch
(Tom Lane <tgl@sss.pgh.pa.us>)
|
| List | pgsql-patches |
Stephen Frost wrote: > * Magnus Hagander (magnus@hagander.net) wrote: >> On Thu, Jul 19, 2007 at 06:22:57PM -0400, Stephen Frost wrote: >>> My thinking would be to have the autoconf to disable it, but enable it >>> by default. I don't feel particularly strongly about it though. >> Do you see a use-case where someone would disable it? I'll be happy to add >> the switch if you do, it's not hard to do, but adding a switch just for the >> sake of adding a switch is not something I lik e:-) > > Eh, I could contrive one but, as I said, I don't feel particularly > strongly about it. How about we go w/o it for now and see if anyone > asks for it. Sounds like a plan. >> The change is there to because the majority of windows installs will >> be using Active Directory, at least that's what I would expect. Certainly >> not all, but most. It's a way of lowering the bar for the majority, at the >> expense of the minority ;-) > > It's also at the expense of backwards compatibility. :/ People who are > currently using the krb5 auth mechanism with AD are used to having to > flip that or set the environment variable while people who have been > using it with an MIT KDC may get suprised by it. Yeah, that's certainly the expense of it :-( It's helping the newbies though. >> That said, I actually intended to submit that as a separate patch for >> separate discussion. If people are against it, I'll be happy to drop that >> part. > > My main concern is that it's a backward-incompatible change. I realize > that it's likely going in the direction of the majority on Windows but > it seems to make like it's not something we should just 'do'. That > said, I don't see it as a problem for me since I've got a reasonably > small user-base (10s, not 100s or 1000s) of Windows users and setting > the environment variable shouldn't be an issue. Right. For now, I'll pull it out of that patch, and we can have a separate discussion about it. I'd certainly like to hear someone else than just me and you say something about it :-) >> Again, it's not related to the library used, it's related to the KDC. And >> we can't detect that, at least not early enough. > > That's true, but if we used upper-case with something NEW (SSPI) while > keeping it the same for the OLD (KRB5, and I'd vote GSSAPI) then we're > not breaking backwards compatibility while also catering to the masses. > I guess I don't see too many people using SSPI w/ an MIT KDC, and it > wasn't possible previously anyway. > > What do you think? Hmm. It makes the default a lot less clear, and opens up for confusion. So I'm not so sure I like it :-) Plus, it's not as easy to implement - you have to consider how it gets affected by say manual specification of --with-krbsrvnam etc. //Magnus
pgsql-patches by date: