Thread: Re: couple socket-connection questions
At 9:23 AM +0200 5/30/03, Daniel Kouril wrote: >On Thu, May 29, 2003 at 05:48:44PM -0700, Henry B. Hotz wrote: >> Actually that's mod_auth_krb, not kerb. They are different apache >> modules and the one without the 'e' is newer. I found out about it >> from the PostgreSQL manual. It claims to implement some Microsoft >> IETF-draft which is also supported by Mozilla for getting Kerberos >> credentials forwarded. If the connection doesn't support the >> IETF-draft then it falls back to getting a name/password via basic >> auth. With the right options apache will retain the (forwarded or >> created) tgt which can be used by mod_perl (or presumably PHP) to >> authenticate a connection with PostgreSQL. > >I don't know which module is meant by the PostgreSQL docs, but you can have >a look at http://meta.cesnet.cz/software/heimdal/negotiate.en.html >The page contains implementations of exact the functionality refered above. Interesting. I just repeated my Google search for mod-without-e and almost the only hits are the PostgreSQL admin manual. I did find a cross-reference to a sourceforge page <http://modauthkerb.sourceforge.net/> which looks an awful lot like the page I remember for the no-e module --- but it has an e. My guess is that the module web page had a spelling error once which was picked up by the PostgreSQL admin manual. The spelling error has been fixed everywhere now, except at PostgreSQL. I'm cc'ing the PG doc's list on this reply. Hopefully someone there can tell us what the real situation is. -- The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
Henry B. Hotz writes: > My guess is that the module web page had a spelling error once which > was picked up by the PostgreSQL admin manual. The spelling error has > been fixed everywhere now, except at PostgreSQL. The mention in the PostgreSQL documentation was once submitted by an external contributor and might have contained a typo. Would you like to submit a correction, or should it be removed altogether? I got a little bit lost about what is correct. -- Peter Eisentraut peter_e@gmx.net
At 11:50 PM +0200 6/1/03, Peter Eisentraut wrote: >Henry B. Hotz writes: > >> My guess is that the module web page had a spelling error once which >> was picked up by the PostgreSQL admin manual. The spelling error has >> been fixed everywhere now, except at PostgreSQL. > >The mention in the PostgreSQL documentation was once submitted by an >external contributor and might have contained a typo. Would you like to >submit a correction, or should it be removed altogether? I got a little >bit lost about what is correct. Gee, I was hoping you could tell me what was correct. I'm guessing the correction should be: change mod_auth_krb to mod_auth_kerb. I'll post more info in a month or two when I have more info (like when I've tried it out). -- The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
On Sun, Jun 01, 2003 at 03:22:04PM -0700, Henry B. Hotz wrote:
> At 11:50 PM +0200 6/1/03, Peter Eisentraut wrote:
> >Henry B. Hotz writes:
> >
> >> My guess is that the module web page had a spelling error once which
> >> was picked up by the PostgreSQL admin manual. The spelling error has
> >> been fixed everywhere now, except at PostgreSQL.
> >
> >The mention in the PostgreSQL documentation was once submitted by an
> >external contributor and might have contained a typo. Would you like to
> >submit a correction, or should it be removed altogether? I got a little
> >bit lost about what is correct.
>
> Gee, I was hoping you could tell me what was correct.
>
> I'm guessing the correction should be: change mod_auth_krb to
> mod_auth_kerb.
The mod_auth_kerb module available from modauthkerb.sf.net doesn't provide
the full kerberos authentication (it only supports password verification
against KDC). Recently I've joined the modauthkerb.sf.net project trying to
incorporate the changes needed to implement full kerberos support, but I'm
not sure when it's ready.
So, as for the PostgreSQL docs, if you don't have any other modules in your
mind, I'd suggest to include references to both these module:
- mod_auth_kerb hosted by Sourceforge at modauthkerb.sf.net
- mod_auth_gss_krb5 available from
http://meta.cesnet.cz/software/negotiate.en.html
You can also state these two modules are being integrated.
Cheers,
--
Dan
Patch applied to documentation to list two mod_auth kerberos projects. Thanks. --------------------------------------------------------------------------- Daniel Kouril wrote: > On Sun, Jun 01, 2003 at 03:22:04PM -0700, Henry B. Hotz wrote: > > At 11:50 PM +0200 6/1/03, Peter Eisentraut wrote: > > >Henry B. Hotz writes: > > > > > >> My guess is that the module web page had a spelling error once which > > >> was picked up by the PostgreSQL admin manual. The spelling error has > > >> been fixed everywhere now, except at PostgreSQL. > > > > > >The mention in the PostgreSQL documentation was once submitted by an > > >external contributor and might have contained a typo. Would you like to > > >submit a correction, or should it be removed altogether? I got a little > > >bit lost about what is correct. > > > > Gee, I was hoping you could tell me what was correct. > > > > I'm guessing the correction should be: change mod_auth_krb to > > mod_auth_kerb. > > The mod_auth_kerb module available from modauthkerb.sf.net doesn't provide > the full kerberos authentication (it only supports password verification > against KDC). Recently I've joined the modauthkerb.sf.net project trying to > incorporate the changes needed to implement full kerberos support, but I'm > not sure when it's ready. > > So, as for the PostgreSQL docs, if you don't have any other modules in your > mind, I'd suggest to include references to both these module: > - mod_auth_kerb hosted by Sourceforge at modauthkerb.sf.net > - mod_auth_gss_krb5 available from > http://meta.cesnet.cz/software/negotiate.en.html > You can also state these two modules are being integrated. > > Cheers, > > -- > Dan > > ---------------------------(end of broadcast)--------------------------- > TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org > -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073 Index: doc/src/sgml/client-auth.sgml =================================================================== RCS file: /cvsroot/pgsql-server/doc/src/sgml/client-auth.sgml,v retrieving revision 1.46 diff -c -c -r1.46 client-auth.sgml *** doc/src/sgml/client-auth.sgml 13 Mar 2003 01:30:26 -0000 1.46 --- doc/src/sgml/client-auth.sgml 6 Jun 2003 18:08:03 -0000 *************** *** 639,646 **** </para> <para> ! If you use <application>mod_auth_krb</application> and ! <application>mod_perl</application> on your <productname>Apache</productname> web server, you can use <literal>AuthType KerberosV5SaveCredentials</literal> with a <application>mod_perl</application> script. This gives secure --- 639,653 ---- </para> <para> ! <ulink url="http://www.kernel.org/pub/linux/libs/pam/"><productname>Linux-PAM</> ! Page ! ! If you use <application>mod_auth_kerb</application> from ! <ulink url="http://modauthkerb.sf.net">http://modauthkerb.sf.net</ulink> ! or <application>mod_auth_gss_krb5</application> from ! <ulink url="http://meta.cesnet.cz/software/negotiate.en.html"> ! http://meta.cesnet.cz/software/negotiate.en.html</ulink>, ! and <application>mod_perl</application> on your <productname>Apache</productname> web server, you can use <literal>AuthType KerberosV5SaveCredentials</literal> with a <application>mod_perl</application> script. This gives secure
Bruce Momjian writes: > Patch applied to documentation to list two mod_auth kerberos projects. > Thanks. Do both of these support AuthType KerberosV5SaveCredentials? I guess not, from this: > > > I'm guessing the correction should be: change mod_auth_krb to > > > mod_auth_kerb. > > > > The mod_auth_kerb module available from modauthkerb.sf.net doesn't provide > > the full kerberos authentication (it only supports password verification > > against KDC). Recently I've joined the modauthkerb.sf.net project trying to > > incorporate the changes needed to implement full kerberos support, but I'm > > not sure when it's ready. -- Peter Eisentraut peter_e@gmx.net