Including kerberos realm - Mailing list pgsql-hackers

Here's the patch allowing for the parameter include_realm on
pg_hba.conf, that makes the authentication system pass the user@realm
format username to the identmap, instead of stripping the realm. This
was the original reason for having regexp support in the ident maps..

The idea is to make it a lot easier to run with multiple kerberos realms
in the same installation. Hello Stephen :-)

Comments?

//Magnus
*** a/doc/src/sgml/client-auth.sgml
--- b/doc/src/sgml/client-auth.sgml
***************
*** 786,791 **** omicron       bryanh            guest1
--- 786,803 ----
       </varlistentry>

       <varlistentry>
+       <term>include_realm</term>
+       <listitem>
+        <para>
+         Include the realm name from the authenticated user principal. This is useful
+         in combination with Username maps (See <xref linkend="auth-username-maps">
+         for details), especially with regular expressions, to map users from
+         multiple realms.
+        </para>
+       </listitem>
+      </varlistentry>
+
+      <varlistentry>
        <term>krb_realm</term>
        <listitem>
         <para>
***************
*** 847,852 **** omicron       bryanh            guest1
--- 859,876 ----
       </varlistentry>

       <varlistentry>
+       <term>include_realm</term>
+       <listitem>
+        <para>
+         Include the realm name from the authenticated user principal. This is useful
+         in combination with Username maps (See <xref linkend="auth-username-maps">
+         for details), especially with regular expressions, to map users from
+         multiple realms.
+        </para>
+       </listitem>
+      </varlistentry>
+
+      <varlistentry>
        <term>krb_realm</term>
        <listitem>
         <para>
*** a/src/backend/libpq/auth.c
--- b/src/backend/libpq/auth.c
***************
*** 748,754 **** pg_krb5_recvauth(Port *port)
      cp = strchr(kusername, '@');
      if (cp)
      {
!         *cp = '\0';
          cp++;

          if (realmmatch != NULL && strlen(realmmatch))
--- 748,760 ----
      cp = strchr(kusername, '@');
      if (cp)
      {
!         /*
!          * If we are not going to include the realm in the username that is passed
!          * to the ident map, destructively modify it here to remove the realm. Then
!          * advance past the separator to check the realm.
!          */
!         if (!port->hba->include_realm)
!             *cp = '\0';
          cp++;

          if (realmmatch != NULL && strlen(realmmatch))
***************
*** 1040,1046 **** pg_GSS_recvauth(Port *port)
      {
          char       *cp = strchr(gbuf.value, '@');

!         *cp = '\0';
          cp++;

          if (realmmatch != NULL && strlen(realmmatch))
--- 1046,1058 ----
      {
          char       *cp = strchr(gbuf.value, '@');

!         /*
!          * If we are not going to include the realm in the username that is passed
!          * to the ident map, destructively modify it here to remove the realm. Then
!          * advance past the separator to check the realm.
!          */
!         if (!port->hba->include_realm)
!             *cp = '\0';
          cp++;

          if (realmmatch != NULL && strlen(realmmatch))
***************
*** 1361,1368 **** pg_SSPI_recvauth(Port *port)
      /*
       * We have the username (without domain/realm) in accountname, compare to
       * the supplied value. In SSPI, always compare case insensitive.
       */
!     return check_usermap(port->hba->usermap, port->user_name, accountname, true);
  }
  #endif   /* ENABLE_SSPI */

--- 1373,1394 ----
      /*
       * We have the username (without domain/realm) in accountname, compare to
       * the supplied value. In SSPI, always compare case insensitive.
+      *
+      * If set to include realm, append it in <username>@<realm> format.
       */
!     if (port->hba->include_realm)
!     {
!         char   *namebuf;
!         int        retval;
!
!         namebuf = palloc(strlen(accountname) + strlen(domainname) + 2);
!         sprintf(namebuf, "%s@%s", accountname, domainname);
!         retval = check_usermap(port->hba->usermap, port->user_name, namebuf, true);
!         pfree(namebuf);
!         return retval;
!     }
!     else
!         return check_usermap(port->hba->usermap, port->user_name, accountname, true);
  }
  #endif   /* ENABLE_SSPI */

*** a/src/backend/libpq/hba.c
--- b/src/backend/libpq/hba.c
***************
*** 1055,1060 **** parse_hba_line(List *line, int line_num, HbaLine *parsedline)
--- 1055,1071 ----
                      INVALID_AUTH_OPTION("krb_realm", "krb5, gssapi and sspi");
                  parsedline->krb_realm = pstrdup(c);
              }
+             else if (strcmp(token, "include_realm") == 0)
+             {
+                 if (parsedline->auth_method != uaKrb5 &&
+                     parsedline->auth_method != uaGSS &&
+                     parsedline->auth_method != uaSSPI)
+                     INVALID_AUTH_OPTION("include_realm", "krb5, gssapi and sspi");
+                 if (strcmp(c, "1") == 0)
+                     parsedline->include_realm = true;
+                 else
+                     parsedline->include_realm = false;
+             }
              else
              {
                  ereport(LOG,
*** a/src/include/libpq/hba.h
--- b/src/include/libpq/hba.h
***************
*** 58,63 **** typedef struct
--- 58,64 ----
      bool        clientcert;
      char       *krb_server_hostname;
      char       *krb_realm;
+     bool        include_realm;
  } HbaLine;

  typedef struct Port hbaPort;