Received: from maia.hub.org (unknown [200.46.208.211]) by mail.postgresql.org (Postfix) with ESMTP id 0E345632755 for ; Sat, 20 Feb 2010 15:21:34 -0400 (AST) Received: from mail.postgresql.org ([200.46.204.86]) by maia.hub.org (mx1.hub.org [200.46.208.211]) (amavisd-maia, port 10024) with ESMTP id 54116-07 for ; Sat, 20 Feb 2010 19:21:20 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from momjian.us (momjian.us [70.90.9.53]) by mail.postgresql.org (Postfix) with ESMTP id 1071962DBD8 for ; Sat, 20 Feb 2010 15:21:22 -0400 (AST) Received: (from bruce@localhost) by momjian.us (8.11.6/8.11.6) id o1KJLIx22044; Sat, 20 Feb 2010 14:21:18 -0500 (EST) From: Bruce Momjian Message-Id: <201002201921.o1KJLIx22044@momjian.us> Subject: Re: [PATCH] clarify username mapping in Kerberos and GSSAPI In-Reply-To: <28A4DB436106924BADF219EA31CE80AEF4BEE7@mailnyc2.nyc.deshaw.com> To: "Turner, Ian" Date: Sat, 20 Feb 2010 14:21:18 -0500 (EST) CC: pgsql-docs@postgresql.org X-Mailer: ELM [version 2.4ME+ PL124 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="US-ASCII" X-Virus-Scanned: Maia Mailguard 1.0.1 X-Spam-Status: No, hits=-2.353 tagged_above=-10 required=5 tests=AWL=0.246, BAYES_00=-2.599 X-Spam-Level: X-Archive-Number: 201002/16 X-Sequence-Number: 5332 Thanks, applied. --------------------------------------------------------------------------- Turner, Ian wrote: > Hello all, > > I noticed what appears to be an ambiguity in this area, so I prepared a patch. It is included below. The issue is that the documentation does not make it crystal clear exactly what string is used for username mapping when authenticating with GSSAPI or Kerberos. It's possible that this issue also applies to the SSPI documentation, though I didn't check. > > Cheers, > > --Ian Turner > Senior UNIX Systems Engineer > D. E. Shaw & Co. > > --- postgresql-8.4-8.4.1/doc/src/sgml/client-auth.sgml 2009-06-24 14:46:32.000000000 +0100 > +++ postgresql-8.4-8.4.1-docfix/doc/src/sgml/client-auth.sgml 2009-10-23 20:41:28.000000000 +0100 > @@ -801,23 +801,28 @@ > The following configuration options are supported for GSSAPI: > > > - map > + include_realm > > > - Allows for mapping between system and database usernames. See > - for details. > + If set to 1, the realm name from the authenticated user > + principal is included in the system user name that's passed through > + username mapping (). This is > + useful for handling users from multiple realms. > > > > > > - include_realm > + map > > > - If set to 1, the realm name from the authenticated user > - principal is included in the system user name that's passed through > - username mapping (). This is > - useful for handling users from multiple realms. > + Allows for mapping between system and database usernames. See > + for details. For a Kerboros > + principal username/hostbased@EXAMPLE.COM, the > + username used for mapping is username/hostbased > + if include_realm is disabled, and > + username/hostbased@EXAMPLE.COM if > + include_realm is enabled. > > > > @@ -1003,10 +1008,10 @@ > > When connecting to the database make sure you have a ticket for a > principal matching the requested database user name. For example, for > - database user name fred, both principal > - fred@EXAMPLE.COM and > - fred/users.example.com@EXAMPLE.COM could be used to > - authenticate to the database server. > + database user name fred, principal > + fred@EXAMPLE.COM would be able to connect. To also allow > + principle fred/users.example.com@EXAMPLE.COM, use a username > + map, as described in . > > > -- Bruce Momjian http://momjian.us EnterpriseDB http://enterprisedb.com PG East: http://www.enterprisedb.com/community/nav-pg-east-2010.do + If your life is a hard drive, Christ can be your backup. +