On Tue, 13 Nov 2001, Tom Lane wrote:
> I still wonder whether there isn't some documented API (common to both
> MIT and Heimdal) for extracting the client principal from a ticket.
> I mean, that's almost the entire reason for getting the ticket in the
> first place; you can hardly argue that this is not core functionality.
> I find it hard to believe that Heimdal hasn't duplicated the standard
> way of getting the principal from a ticket. I can believe that we
> weren't *using* the standard way, however...
I've been digging into this, and I think the problem is there is no
standard way to do what we're doing. It is a flaw in the design of the
specs and the krb5_unparse_name() routine.
There are however other ways to do what we want.
First off, I think the comment about pg_an_to_ln is wrong; if you have
some sort of goofy multi-part name (like the example out of X.400 hell,
"ORGANIZATION=U. C. Berkeley/NAME=Paul M. Aoki@CS.BERKELEY.EDU" *AND* your
kerberos lib isn't set up to deal with it (krb5_aname_to_localname()
punts), why should PostgreSQL let you in?
Oh, the comment is also very old. It's from version 1.1 of the file,
checked in in 1996. Everything else changed, so I'd expect that if you are
using X.400 names like the horror above, well, you are 1) using MIT, and
2) you can set things up right (or at least there is documentation to show
you how).
(Heimdal supports single-component names, or two-component names where the
second name is root. In the latter case, the name is taken as root.)
Dang. I've been fussing with code for a bit, and realised that while there
are ways we can get rid of the use of krb5_aname_to_localname, we still
have to reach in the received ticket and pull out the principal in a
non-standard way.
Take care,
Bill