Thread: GSSAPI or Kerberos authentication problems
Hi all, I'm new to this list, and I haven't been able to find a solution to this problem by Googling, so I hope I'm not beating a dead horse here. I'm using the postgresql-jdbc driver with OpenOffice.org 2.0, and I can't get it to use GSSAPI authentication using my Kerberos credentials. I have no other apps that use postgresql-jdbc, but it appears as though the problem is in this driver, not OOo. psql And other apps using the native PostgreSQL interface work fine using Kerberos authentication, just not JDBC. Does the postgresql-jdbc driver support Kerberos/GSSAPI authentication? If not, what is required to get it done? -- Mike Warnecke <mike@audiowarehouse.ca> Audio Warehouse
Attachment
On Wed, 14 Sep 2005, Mike Warnecke wrote: > I'm using the postgresql-jdbc driver with OpenOffice.org 2.0, and I > can't get it to use GSSAPI authentication using my Kerberos credentials. > I have no other apps that use postgresql-jdbc, but it appears as though > the problem is in this driver, not OOo. > > psql And other apps using the native PostgreSQL interface work fine > using Kerberos authentication, just not JDBC. > > Does the postgresql-jdbc driver support Kerberos/GSSAPI authentication? > If not, what is required to get it done? > The JDBC driver does not currently support kerberos auth. Since the driver is pure Java we cannot rely on the standard postgresql client library (libpq) and its kerberos support. When the driver was initially written the only kerberos support available required separate third party libraries. With the availability of JAAS in JDK 1.3 and subsequent integration in JDK 1.4 that is no longer the case. I imagine someone familiar with JAAS and kerberos could add support to the driver relatively easily, but Java and kerberos do not seem like a common combination (at least in the Postgresql world). Without the expertise or the demand for this feature it doesn't seem likely that it will happen anytime soon. Kris Jurka
On Wed, 2005-14-09 at 16:00 -0500, Kris Jurka wrote: > > On Wed, 14 Sep 2005, Mike Warnecke wrote: > > > I'm using the postgresql-jdbc driver with OpenOffice.org 2.0, and I > > can't get it to use GSSAPI authentication using my Kerberos credentials. > > I have no other apps that use postgresql-jdbc, but it appears as though > > the problem is in this driver, not OOo. > > > > psql And other apps using the native PostgreSQL interface work fine > > using Kerberos authentication, just not JDBC. > > > > Does the postgresql-jdbc driver support Kerberos/GSSAPI authentication? > > If not, what is required to get it done? > > > > The JDBC driver does not currently support kerberos auth. Since the > driver is pure Java we cannot rely on the standard postgresql client > library (libpq) and its kerberos support. When the driver was initially > written the only kerberos support available required separate third party > libraries. With the availability of JAAS in JDK 1.3 and subsequent > integration in JDK 1.4 that is no longer the case. I imagine someone > familiar with JAAS and kerberos could add support to the driver relatively > easily, but Java and kerberos do not seem like a common combination (at > least in the Postgresql world). Without the expertise or the demand for > this feature it doesn't seem likely that it will happen anytime soon. So, if I need it, I'll need to learn JAAS, and contribute it then, right? As far as nobody using JDBC, PostgreSQL, and Kerberos together, I can't understand why a single sign-on architecture with real security wouldn't be more popular. But then again, look at the number of people still using Zip encryption... I think you've given me the necessary information with respect to JAAS though. Thanks! -- Mike Warnecke <mike@audiowarehouse.ca> Audio Warehouse
Attachment
On Wed, 14 Sep 2005, Mike Warnecke wrote: > So, if I need it, I'll need to learn JAAS, and contribute it then, > right? Right, that'd be great. > As far as nobody using JDBC, PostgreSQL, and Kerberos together, I can't > understand why a single sign-on architecture with real security wouldn't > be more popular. But then again, look at the number of people still > using Zip encryption... > I think it's because JDBC is so often used as a server side technology with one database user for all clients. Kris Jurka
Mike Warnecke wrote: > Does the postgresql-jdbc driver support Kerberos/GSSAPI authentication? > If not, what is required to get it done? > > Doing a little further reading and testing shows that the server would need to be extended to provide GSSAPI support even though the underlying authentication would be done using Kerberos. Java has Kerberos support, but not the ability to "speak" it directly, only through the GSSAPI interface. Phil Dodderidge claimed to have this up and working quite some time ago, perhaps he can share some more info... http://archives.postgresql.org/pgsql-hackers/2002-04/msg01461.php Although I'm not sure people want GSSAPI support in the backend given the comments on adding SASL support here: http://archives.postgresql.org/pgsql-hackers/2002-05/msg00760.php Kris Jurka