Truncation of krb5 principals

Hello,

I am using krb5 authorization and have a problem with the mangling of krb5
principal names. E.g. on authentication, the principals 'foo/www@XYZ.ORG'
and 'foo/mail@ABC.COM' will be both rewritten to the local username 'foo',
which is completely unwanted and might be a security problem.

In the archives, I read that this happens because '/' and '@' are
forbidden characters for usernames. An authname-to-username mapping
table was a proposed solutions, but although the discussion[1] was some
time ago in 2002, I can not find such a thing in recent postgresql
7.4.2.

When the authname -> username table would be too complicated to
implement, would it be possible to use something like OpenLDAP's
'sasl-regexp' feature? E.g. in postgresql.conf it could be written

| sasl-regexp "([^/]*)/www@XYZ.ORG"  "$1_www_XYZ_ORG"
| sasl-regexp "([^/]*)/mail@ABC.COM" "$1_mail_ABC_COM"

which maps the principals above into valid SQL usernames.




Enrico

Footnotes:
[1]  http://groups.google.com/groups?&selm=8149.1021471997%40sss.pgh.pa.us