Re: BUG #9337: SSPI/GSSAPI with mismatched user names

On Mon, Feb 24, 2014 at 1:58 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> I wonder whether there would be any value in an option for SSPI (and
> maybe other auth methods) to say "after authentication is complete,
> substitute the authenticated principal name for the database user
> name" (possibly after realm-stripping, case-folding, etc).

I humbly resubmit my ticket-in-the-startup-packet suggestion, which
I'd hope would be easier, especially since any program not supplying
it would fall back to the standard challenge auth mechanism.

Like:

1. client -> server startup packet + GSSAPI="here's my ticket"
2. server -> client AuthenticationGSSContinue
3. client -> server password packet
4. server -> client AuthenticationOK

But then I don't know what I'm talking about really   :P

(goes to read the protocol specs)

--Brian