Re: BUG #9337: SSPI/GSSAPI with mismatched user names
| От | Magnus Hagander |
|---|---|
| Тема | Re: BUG #9337: SSPI/GSSAPI with mismatched user names |
| Дата | |
| Msg-id | CABUevExYCCR98qDEa9bpUE72fkp8SsYqFNPQuS20qDz4sng0Jw@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: BUG #9337: SSPI/GSSAPI with mismatched user names (Stephen Frost <sfrost@snowman.net>) |
| Список | pgsql-bugs |
On Mon, Feb 24, 2014 at 7:56 PM, Stephen Frost <sfrost@snowman.net> wrote: > * Brian Crowell (brian@fluggo.com) wrote: > > Right now, I'm seeing log entries like this: > > > > 2014-02-24 11:30:40 CST LOG: provided user name (Brian) and > > authenticated user name (BCrowell@REALM.COM) do not match > > > > But the Kerberos ticket is perfectly valid, and matches a Postgres > > user. In this case, the program attempting to log in is incapable of > > determining the correct Postgres user name to send (see Npgsql bug for > > the dirty details), so why not just accept the Kerberos principal > > name? > > This is what the mapping logic in pg_ident was written to address... > There is also a parameter called include_realm, specifically for Kerberos, which will remove the @REALM.COM part. But I believe it does that by default. Specifically see http://www.postgresql.org/docs/9.3/static/auth-methods.html#GSSAPI-AUTH, which deals with both those. -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/
В списке pgsql-bugs по дате отправления: