diff options
| author | Bruce Momjian <bruce@momjian.us> | 2005-06-04 20:42:43 +0000 |
|---|---|---|
| committer | Bruce Momjian <bruce@momjian.us> | 2005-06-04 20:42:43 +0000 |
| commit | 72c53ac3a7faaf825752843fbb77b059a1c5f565 (patch) | |
| tree | 632d2da27736de8d8a41624a516e0560869e9da5 /src/backend/libpq/auth.c | |
| parent | d995014fac604b256e7123c472cbfd4dde91d411 (diff) | |
| download | postgresql-72c53ac3a7faaf825752843fbb77b059a1c5f565.tar.gz | |
Allow kerberos name and username case sensitivity to be specified from
postgresql.conf.
---------------------------------------------------------------------------
Here's an updated version of the patch, with the following changes:
1) No longer uses "service name" as "application version". It's instead
hardcoded as "postgres". It could be argued that this part should be
backpatched to 8.0, but it doesn't make a big difference until you can
start changing it with GUC / connection parameters. This change only
affects kerberos 5, not 4.
2) Now downcases kerberos usernames when the client is running on win32.
3) Adds guc option for "krb_caseins_users" to make the server ignore
case mismatch which is required by some KDCs such as Active Directory.
Off by default, per discussion with Tom. This change only affects
kerberos 5, not 4.
4) Updated so it doesn't conflict with the rendevouz/bonjour patch
already in ;-)
Magnus Hagander
Diffstat (limited to 'src/backend/libpq/auth.c')
| -rw-r--r-- | src/backend/libpq/auth.c | 20 |
1 files changed, 13 insertions, 7 deletions
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c index b941ccd503..7970f81756 100644 --- a/src/backend/libpq/auth.c +++ b/src/backend/libpq/auth.c @@ -8,7 +8,7 @@ * * * IDENTIFICATION - * $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.123 2005/02/22 04:35:57 momjian Exp $ + * $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.124 2005/06/04 20:42:42 momjian Exp $ * *------------------------------------------------------------------------- */ @@ -41,6 +41,8 @@ static char *recv_password_packet(Port *port); static int recv_and_check_password_packet(Port *port); char *pg_krb_server_keyfile; +char *pg_krb_srvnam; +bool pg_krb_caseins_users; #ifdef USE_PAM #ifdef HAVE_PAM_PAM_APPL_H @@ -99,7 +101,7 @@ pg_krb4_recvauth(Port *port) status = krb_recvauth(krbopts, port->sock, &clttkt, - PG_KRB_SRVNAM, + pg_krb_srvnam, instance, &port->raddr.in, &port->laddr.in, @@ -219,16 +221,16 @@ pg_krb5_init(void) return STATUS_ERROR; } - retval = krb5_sname_to_principal(pg_krb5_context, NULL, PG_KRB_SRVNAM, + retval = krb5_sname_to_principal(pg_krb5_context, NULL, pg_krb_srvnam, KRB5_NT_SRV_HST, &pg_krb5_server); if (retval) { ereport(LOG, (errmsg("Kerberos sname_to_principal(\"%s\") returned error %d", - PG_KRB_SRVNAM, retval))); + pg_krb_srvnam, retval))); com_err("postgres", retval, "while getting server principal for service \"%s\"", - PG_KRB_SRVNAM); + pg_krb_srvnam); krb5_kt_close(pg_krb5_context, pg_krb5_keytab); krb5_free_context(pg_krb5_context); return STATUS_ERROR; @@ -264,7 +266,7 @@ pg_krb5_recvauth(Port *port) return ret; retval = krb5_recvauth(pg_krb5_context, &auth_context, - (krb5_pointer) & port->sock, PG_KRB_SRVNAM, + (krb5_pointer) & port->sock, "postgres", pg_krb5_server, 0, pg_krb5_keytab, &ticket); if (retval) { @@ -303,7 +305,11 @@ pg_krb5_recvauth(Port *port) } kusername = pg_an_to_ln(kusername); - if (strncmp(port->user_name, kusername, SM_DATABASE_USER)) + if (pg_krb_caseins_users) + ret = strncasecmp(port->user_name, kusername, SM_DATABASE_USER); + else + ret = strncmp(port->user_name, kusername, SM_DATABASE_USER); + if (ret) { ereport(LOG, (errmsg("unexpected Kerberos user name received from client (received \"%s\", expected \"%s\")", |