| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Magnus Hagander <magnus(at)hagander(dot)net> |
| Cc: | Peter Eisentraut <peter_e(at)gmx(dot)net>, PG Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Spurious Kerberos error messages |
| Date: | 2008-11-09 17:03:15 |
| Message-ID: | 24466.1226250195@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Magnus Hagander <magnus(at)hagander(dot)net> writes:
> Another option would be not to call the kerberos code there at all. All
> other authentication methods that take the userid externally (gssapi,
> sspi, ident) require the user to specify the name to connect as if it's
> different from the one in the operating system. I think that's a very
> uncommon scenario in any case - almost everybody will be using whatever
> userid is used in the system, when using Kerberos.
Hmm, that's an interesting alternative. I like it because it takes away
some useless connection-startup overhead in the common case where you're
using a Kerberos-enabled library but Kerberos isn't set up on the system.
Another possible argument in favor is that it's bogus to ask Kerberos
for the username unless the actual auth method is Kerberos --- which is
something libpq can't know at that point.
OTOH, that code was put in deliberately. It might be a good idea to
troll the archives and see if we can find out the rationale for it.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Magnus Hagander | 2008-11-09 17:18:21 | Re: Spurious Kerberos error messages |
| Previous Message | Magnus Hagander | 2008-11-09 16:54:38 | Re: Spurious Kerberos error messages |