Truncation of krb5 principals - Mailing list pgsql-admin

From Enrico Scholz
Subject Truncation of krb5 principals
Date
Msg-id 87n034dc5d.fsf@kosh.ultra.csn.tu-chemnitz.de
Whole thread Raw
List pgsql-admin
Hello,

I am using krb5 authorization and have a problem with the mangling of krb5
principal names. E.g. on authentication, the principals 'foo/www@XYZ.ORG'
and 'foo/mail@ABC.COM' will be both rewritten to the local username 'foo',
which is completely unwanted and might be a security problem.

In the archives, I read that this happens because '/' and '@' are
forbidden characters for usernames. An authname-to-username mapping
table was a proposed solutions, but although the discussion[1] was some
time ago in 2002, I can not find such a thing in recent postgresql
7.4.2.

When the authname -> username table would be too complicated to
implement, would it be possible to use something like OpenLDAP's
'sasl-regexp' feature? E.g. in postgresql.conf it could be written

| sasl-regexp "([^/]*)/www@XYZ.ORG"  "$1_www_XYZ_ORG"
| sasl-regexp "([^/]*)/mail@ABC.COM" "$1_mail_ABC_COM"

which maps the principals above into valid SQL usernames.




Enrico

Footnotes:
[1]  http://groups.google.com/groups?&selm=8149.1021471997%40sss.pgh.pa.us

pgsql-admin by date:

Previous
From: Jochen Wiedmann
Date:
Subject: PGRES_FATAL_ERROR: out of free buffers: time to abort!
Next
From: Adam Smith
Date:
Subject: PostgresSQL 7.3.x removal