Re: [Patch] Using Windows groups for SSPI authentication

Russell Foster <russell.foster.coding@gmail.com> writes:
> Going to take a guess at what you mean by:
>> I do object to using syntax that makes random assumptions about what a
>> user name can or can't be.

> Are you referring to the "+" syntax in the ident file? I chose that because
> somewhere else (hba?) using the same syntax for groups. The quotes are just
> there to make the  group name case sensitive.

If this were a Postgres group name, I'd say yeah we already broke
the case of spelling group names with a leading "+".  (Which I'm
not very happy about either, but the precedent is there.)

However, this isn't.  Unless I'm totally confused, the field you're
talking about is normally an external, operating-system-defined name.
I do not think it's wise to make any assumptions about what those
can be.

By the same token, the idea of using a "pg_" prefix as discussed
in the other thread will not work here :-(.

After a few minutes' thought, the best I can can come up with is
to extend the syntax of identmap files with an "options" field,
so that your example becomes something like

# MAPNAME SYSTEM-USERNAME PG-USERNAME OPTIONS
"Users"   "User group"    postgres    windows-group

I'm envisioning OPTIONS as allowing a comma- or space-separated
list of keywords, which would give room to grow for other special
features we might want later.

            regards, tom lane