| From: | Heikki Linnakangas <heikki(at)enterprisedb(dot)com> |
|---|---|
| To: | Magnus Hagander <magnus(at)hagander(dot)net> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Dave Page <dpage(at)postgresql(dot)org>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Future of krb5 authentication |
| Date: | 2007-07-18 19:44:39 |
| Message-ID: | 469E6DA7.1040202@enterprisedb.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Stephen Frost wrote:
> Honestly, for now I'm happy w/ it being a connectionstring option. It
> seems the most appropriate place for it to go. That does mean that
> applications may need to be modified to support gssapi (where they might
> not have to be for sspi since it's the default), but since we're going
> to keep krb5 support around for a bit there's time for those
> applications to catch up without breaking things explicitly for people
> migrating to 8.3.
Isn't it possible to open the socket, try GSSAPI handshaking with
protocol, and fall back to krb5 protocol if that fails? If that's not
possible, how about handling it like we handle postgres protocol 3 vs 2?
Connect using GSSAPI first, and if that fails, retry with krb5.
--
Heikki Linnakangas
EnterpriseDB http://www.enterprisedb.com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Oleg Bartunov | 2007-07-18 19:46:55 | Re: Updated tsearch documentation |
| Previous Message | Stephen Frost | 2007-07-18 19:37:52 | Re: Future of krb5 authentication |