Thread: libpq and auth type
Hello, I'm unable to find it in docs. Is there a way in libpq to determine which authentication method will use PgSQL server? I ask becouse I think about improvement in ODBC connection. Magnus point to bug with kerberos auth so we need remove username checking. But it breaks another auth methods ... Thanks for point me the way Luf
> I'm unable to find it in docs. Is there a way in libpq to determine > which authentication method will use PgSQL server? > I ask becouse I think about improvement in ODBC connection. > Magnus point to bug with kerberos auth so we need remove username > checking. But it breaks another auth methods ... Is it so stupid question? I can't find it in mail list archive. Maybe I put wrong words. When ODBC connect to backend with special parameter it needs to popup dialog (on windows) to enter (unspecified) username, password, etc which is needed by backend to authenticate. But this is againist kerberos (and maybe trust) authentication. Must I connect to backend myself (not using libpq)? Could you point me to corresponding libpq code from which I can learn it? Thanks, Luf
Ludek Finstrle <luf@pzkagis.cz> writes:
> When ODBC connect to backend with special parameter it needs to
> popup dialog (on windows) to enter (unspecified) username, password,
> etc which is needed by backend to authenticate.
> But this is againist kerberos (and maybe trust) authentication.
So? Why does ODBC care which auth method gets used? I'm not aware of
any other client code that has ever needed to know that, and so I'm
suspicious of your reasoning for ODBC needing to know it.
regards, tom lane
Wed, Jan 11, 2006 at 10:12:33AM -0500, Tom Lane napsal(a): > Ludek Finstrle <luf@pzkagis.cz> writes: > > When ODBC connect to backend with special parameter it needs to > > popup dialog (on windows) to enter (unspecified) username, password, > > etc which is needed by backend to authenticate. > > But this is againist kerberos (and maybe trust) authentication. > > So? Why does ODBC care which auth method gets used? I'm not aware of > any other client code that has ever needed to know that, and so I'm > suspicious of your reasoning for ODBC needing to know it. I don't know if I can describe it better. Please take a look at: http://cvs.pgfoundry.org/cgi-bin/cvsweb.cgi/~checkout~/psqlodbc/psqlodbc/drvconn.c?rev=1.45.2.1&content-type=text/plain Find there "SQL_DRIVER_COMPLETE" (without quote). It ensure if some required parameters is missing. If the parameter is missing it open dialog window for user to complete the connect informations. It's from previous maintainer. There is the problem that I don't know if the parameter is required or not (it depends on authentication method: ident, krb, trust doesn't require uid, pwd; other auth methods does). If I don't want break this behaviour with krb I need to know what auth method is used. I don't see another way. Do you? I snip following from MS ODBC spec - part "Driver Guidelines" (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/odbc/htm/odbcsqldriverconnect.asp): | Based on the value of DriverCompletion, the driver prompts the user | for connection information, such as the user ID and password, and | connects to the data source: | | * SQL_DRIVER_PROMPT: The driver displays a dialog box, using the | values from the connection string and system information (if any) | as initial values. When the user exits the dialog box, the driver | connects to the data source. It also constructs a connection | string from the value of the DSN or DRIVER keyword in | *InConnectionString and the information returned from the dialog | box. It places this connection string in the *OutConnectionString | buffer. | * SQL_DRIVER_COMPLETE or SQL_DRIVER_COMPLETE_REQUIRED: If the | connection string contains enough information, and that | information is correct, the driver connects to the data source | and copies *InConnectionString to *OutConnectionString. If any | information is missing or incorrect, the driver takes the same | actions as it does when DriverCompletion is SQL_DRIVER_PROMPT, | except that if DriverCompletion is SQL_DRIVER_COMPLETE_REQUIRED, | the driver disables the controls for any information not required | to connect to the data source. | * SQL_DRIVER_NOPROMPT: If the connection string contains enough | information, the driver connects to the data source and copies | *InConnectionString to *OutConnectionString. Otherwise, the driver | returns SQL_ERROR for SQLDriverConnect. Maybe I don't understand it well (my english isn't good). Thanks, Luf
Ludek Finstrle <luf@pzkagis.cz> writes:
> There is the problem that I don't know if the parameter is required
> or not (it depends on authentication method: ident, krb, trust doesn't
> require uid, pwd; other auth methods does).
> If I don't want break this behaviour with krb I need to know what
> auth method is used. I don't see another way. Do you?
Why do you have to know whether the parameter is required or not?
If the user enters something, fine, else try to proceed without.
It's impossible by definition to know whether a password is required
until you have the host, user, and database names, since the server's
pg_hba.conf might well specify different auth methods depending on
the user and/or database name. You could imagine trying to make a
connection the instant you have the first three, and only asking for
a password if you get a "no password supplied" failure, but I think
it'd be simpler to just put up a dialog box with room for all four and
let the user leave the password blank if he thinks he doesn't need it.
regards, tom lane
Wed, Jan 11, 2006 at 11:21:55AM -0500, Tom Lane napsal(a): > Ludek Finstrle <luf@pzkagis.cz> writes: > > There is the problem that I don't know if the parameter is required > > or not (it depends on authentication method: ident, krb, trust doesn't > > require uid, pwd; other auth methods does). > > If I don't want break this behaviour with krb I need to know what > > auth method is used. I don't see another way. Do you? > > Why do you have to know whether the parameter is required or not? > If the user enters something, fine, else try to proceed without. I need to determine when the dialog box may show and when not. > It's impossible by definition to know whether a password is required > until you have the host, user, and database names, since the server's User could be specified another way (e.g. kerberos auth doesn't need to specify user parameter). It's the biggest problem. > You could imagine trying to make a > connection the instant you have the first three, and only asking for > a password if you get a "no password supplied" failure, but I think > it'd be simpler to just put up a dialog box with room for all four and > let the user leave the password blank if he thinks he doesn't need it. It seems I have to do it by parsing error from additional connect. I wanted to be sure. Thanks a lot, Luf
> > It's impossible by definition to know whether a password is > required > > until you have the host, user, and database names, since > the server's > > User could be specified another way (e.g. kerberos auth > doesn't need to specify user parameter). It's the biggest problem. You need the username in the end, when you make the connection. Libpq makes this work by picking up the logged in user in the OS if nothing is specified. Kerberos only requires that the specified username is identical to that used to log in to the system. (Actually, that's only true for Microsoft Kerberos. On unix kerberos, you can specify a different username in some scenarios) //Magnus