> > Which brings me back to thinking a GUC is the way to deal
> with that -
> > you'll definitly know what kind of KDC you have when you set up
> > Kerberos. But perhaps this GUC should be for "permit
> case-insensitive
> > kerberos principals" and not "case-insensitive usernames". And it
> > would just control the comparison between kerberos principal and
> > user-supplied username. The user-supplied username would still be
> > what's used in any access to the database, regardless of case.
>
> That would work for me as long as the default is
> case-sensitive; the other seems too likely to be a security
> hazard. (And it had better be documented that way, too: "DO
> NOT turn this on unless you are certain you are using a
> case-insensitive KDC.")
Fine with me - you'll need to tweak the default principal name anyway to
work with the windwos KDC, so you're giong there anyawy. It's just a
matter of documenting it.
> What will we call the GUC? kerberos_case_insensitive_principals
> seems a bit, um, verbose.
All other kerberos parameters are krb_ and not kerberos_, so that saves
a bit :) How about just "krb_case_insensitive"? Or "krb_case_ins_princ"?
//Magnus