Re: BUG #9337: SSPI/GSSAPI with mismatched user names
От | Brian Crowell |
---|---|
Тема | Re: BUG #9337: SSPI/GSSAPI with mismatched user names |
Дата | |
Msg-id | CAAQkdDp9yvHtJuSih=E6HzZTk9LR-j2WQ3ohPSsV5U0vzT1_MA@mail.gmail.com обсуждение исходный текст |
Ответ на | Re: BUG #9337: SSPI/GSSAPI with mismatched user names (Stephen Frost <sfrost@snowman.net>) |
Список | pgsql-bugs |
On Mon, Feb 24, 2014 at 1:47 PM, Stephen Frost <sfrost@snowman.net> wrote: >> The PG user is "BCrowell@REALM.COM". include_realm is on because we >> have a forest, and I don't want any crossed wires between domains. > > Ah, makes sense. Again, you could have different usernames in PG if you > wanted to keep things simpler, by using pg_ident.conf, but if useing the > full princ works for you then that's certainly fine too. We'd be mapping several dozen users. I'd rather keep things simple :P > It really should be possible for you to get it. I'm in flight at the > moment and so the interwebs are a bit lagged or I'd go figure out what > the right GSSAPI calls are, though I can understand if you'd rather just > be able to ask libpq to handle that or maybe pass back what the princ > is, so you don't have to deal with the Kerberos calls directly. If it is possible, I'd be happy to find out. Note that I'm trying to solve the LOGON32_LOGON_NEW_CREDENTIALS case, which ADO.NET handles just fine. This discussion does not give me much hope: https://groups.google.com/forum/#!topic/microsoft.public.platformsdk.security/5L7ugO0Fc90 > I'm familiar with SQL Server and how it works there and in a lot of ways > it's very similar to what happens in PG, and it has similar options for > doing mapping too, as I recall, and if you want to be able to have such > a mapping then you have to have both the log-me-in-as username and the > Kerberos princ. I'm not sure what you mean. Our connection strings look like this: server=productiondb.realm.com;Integrated Security=SSPI;database=OURDB;Connect Timeout=500;Application Name=w00t Most of our users do not even have SQL Server logins. They get in by group permissions. They're mapped to application data by their SID. > This is overstating it, imv. The exact same issue happens if, for > example, you want to ssh to a server- you have to provide the Unix > username that you want to log into the system as, along with the > Kerberos ticket. Those can then be different too, by using a .k5login > file. If you'd like to complain about something in this regard, it > would be that we don't have any way to link PG users in directly with > LDAP in the way that AD does, where the group membership is doing > through LDAP. That would certainly be accurate but would be quite a bit > of work to allow ad we don't get many requests for such capability. Sorry, I didn't mean for it to sound like a complaint. But yes, I am looking for the Postgres account to be "tied" to the Kerberos account. It doesn't have to be through LDAP; the supplied Kerberos user name is enough. I realize I will still have to set up a mapping for each user, but that's small potatoes. --Brian
В списке pgsql-bugs по дате отправления: