Re: Future of krb5 authentication

* Gregory Stark (stark@enterprisedb.com) wrote:
> Am I right in thinking that while the client<->postgres protocol may be the
> same the actual authentication tokens are different? That is, if you have a
> Windows Active Directory server then using SSPI will use your Windows
> credentials obtained from that server to log you in whereas if you used the
> MIT GSSAPI library it would try to use your Kerberos tickets for which it would
> look elsewhere?

This *can* be true, and in fact is *exactly* what I do.  The MIT client
comes with an option (enabled by default actually) to sync up the MIT
ticket cache with the SSPI one though.

> What confuses me here is that I don't understand how this relates to
> applications. You keep talking about using the connection string which may be
> appropriate for a user-oriented application like psql. But in the general case
> surely the application needs to be able to control the authentication process
> and be able to provide credentials of its choice?

We're talking about user-oriented applications...  Specifically things
like psql and Postgres ODBC, which use user's credentials to connect to
the database and don't have their own credentials...
Thanks,
    Stephen