Postgres Pro
Downloads
Home   >   mailing lists

Re: Postgresql gss user map doesn't work - Mailing list pgsql-admin

From Magnus Hagander
Subject Re: Postgresql gss user map doesn't work
Date
Msg-id CABUevEyLQLrrowMZRRpLTa=7cMvY+N7LEVGrOxUVvqdrcCcMYQ@mail.gmail.com
Whole thread Raw
In response to Re: Postgresql gss user map doesn't work  (xujian <jamesxu@outlook.com>)
List pgsql-admin
Tree view


On Wed, Jul 1, 2015 at 7:36 PM, xujian <jamesxu@outlook.com> wrote:
Since we need to add user name in the command, which is not we want, I removed the map in the pg_ident.conf file, and created role xxx@COMPANY.COM in postgresql

the pg_hba.conf looks like:
host    all     all    all    gss include_realm=1

in pg_ident.conf, I removed all items

in postgresql, I create role
create role "xxx@COMPANY.COM" login

I thought it would work, because my credential is xxx@COMPANY.COM, and there was user xxx@COMPANY.COM in postgresql, it should map the my credential to user xxx@COMPANY.COM.

however, when I login with kerberos, I got error  below on server side
LOG:  provided user name (xxx) and authenticated user name (xxx@COMPANY.COM) do not match
FATAL:  GSSAPI authentication failed for user "xxx"

Do anyone know why it doesn't work?  thanks



The PostgreSQL clients (psql in this case) will default to what you are logged into on the local machine with (the result of getpwuid()). This returns "xxx", so that's what PostgreSQL logs in with. It does not explicitly ask the gss system what credentials are there until a much later stage.

To do what you want, you need to create "xxx" in the database, and have a pg_ident mapping xxx@COMPANY.COM to xxx (using a regexp map probably).
 


--
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/

pgsql-admin by date:

Previous
From: Scott Marlowe
Date:
Subject: Re: Tuning on server with both running oracle and postgreSQL database
Next
From: Bert
Date:
Subject: Architecture setup for multiple dwh databases: multi master, master slave, ...