krb_match_realm patch

Greetings,

Regarding Magnus' patch for matching against the Kerberos realm- I'd
see it as much more useful as a multi-value configuration option.
Perhaps 'krb_alt_realms' or 'krb_realms'. This would look like:

Match against one, and only one, realm (does not have to be the realm
the server is in, that's dealt with seperately):
krb_realms = 'ABC.COM'

Don't worry about the realm ever:
krb_realms = '' # default, to match current krb5

Match against multiple realms:
krb_realms = 'ABC.COM, DEF.ABC.COM'

Note that using multiple realms implies either no overlap, or that
overlap means the same person.

Additionally, I feel we should have an explicit 'krb_strip_realm'
boolean option to enable this behaviour. If 'krb_strip_realm' is
'false' then the full user(at)REALM would be used. This would mean that
more complex cross-realm could also be handled by creating users with
user(at)REALM and then just roles when a given user exists in multiple
realms.

I understand that we're in beta now but both of these are isolated and
rather small changes, I believe. Also, Magnus has indicated that he'd
be willing to adjust his patch accordingly if this is agreed to
(please correct me if I'm wrong here :).

Thanks,

Stephen

Stephen Frost wrote:
> Greetings,
>
> Regarding Magnus' patch for matching against the Kerberos realm- I'd
> see it as much more useful as a multi-value configuration option.
> Perhaps 'krb_alt_realms' or 'krb_realms'. This would look like:
>
> Match against one, and only one, realm (does not have to be the realm
> the server is in, that's dealt with seperately):
> krb_realms = 'ABC.COM'
>
> Don't worry about the realm ever:
> krb_realms = '' # default, to match current krb5
>
> Match against multiple realms:
> krb_realms = 'ABC.COM, DEF.ABC.COM'
>
> Note that using multiple realms implies either no overlap, or that
> overlap means the same person.
>
> Additionally, I feel we should have an explicit 'krb_strip_realm'
> boolean option to enable this behaviour. If 'krb_strip_realm' is
> 'false' then the full user(at)REALM would be used. This would mean that
> more complex cross-realm could also be handled by creating users with
> user(at)REALM and then just roles when a given user exists in multiple
> realms.
>
> I understand that we're in beta now but both of these are isolated and
> rather small changes, I believe. Also, Magnus has indicated that he'd
> be willing to adjust his patch accordingly if this is agreed to
> (please correct me if I'm wrong here :).

I've committed the patch as it was without this, because that's still
better than what we have now.

Just for the record, I've indicated that I'm willing to add the
multi-realm match part of that, but I'm not sure we want to dig into the
"krb_strip_realm" stuff this late in the cycle. At least unless someone
can confirm that we won't have issues *elswhere* from passing in very
long usernames in what I believe is not entirely specified formats.

I will try to work on the multi-realm stuff next week, unless someone
wants to beat me to it...

//Magnus

Added to TODO:

o Allow Kerberos to disable stripping of realms so we can
check the username(at)realm against multiple realms

http://archives.postgresql.org/pgsql-hackers/2007-11/msg00009.php

---------------------------------------------------------------------------

Magnus Hagander wrote:
> Stephen Frost wrote:
> > Greetings,
> >
> > Regarding Magnus' patch for matching against the Kerberos realm- I'd
> > see it as much more useful as a multi-value configuration option.
> > Perhaps 'krb_alt_realms' or 'krb_realms'. This would look like:
> >
> > Match against one, and only one, realm (does not have to be the realm
> > the server is in, that's dealt with seperately):
> > krb_realms = 'ABC.COM'
> >
> > Don't worry about the realm ever:
> > krb_realms = '' # default, to match current krb5
> >
> > Match against multiple realms:
> > krb_realms = 'ABC.COM, DEF.ABC.COM'
> >
> > Note that using multiple realms implies either no overlap, or that
> > overlap means the same person.
> >
> > Additionally, I feel we should have an explicit 'krb_strip_realm'
> > boolean option to enable this behaviour. If 'krb_strip_realm' is
> > 'false' then the full user(at)REALM would be used. This would mean that
> > more complex cross-realm could also be handled by creating users with
> > user(at)REALM and then just roles when a given user exists in multiple
> > realms.
> >
> > I understand that we're in beta now but both of these are isolated and
> > rather small changes, I believe. Also, Magnus has indicated that he'd
> > be willing to adjust his patch accordingly if this is agreed to
> > (please correct me if I'm wrong here :).
>
> I've committed the patch as it was without this, because that's still
> better than what we have now.
>
> Just for the record, I've indicated that I'm willing to add the
> multi-realm match part of that, but I'm not sure we want to dig into the
> "krb_strip_realm" stuff this late in the cycle. At least unless someone
> can confirm that we won't have issues *elswhere* from passing in very
> long usernames in what I believe is not entirely specified formats.
>
> I will try to work on the multi-realm stuff next week, unless someone
> wants to beat me to it...
>
> //Magnus
>
> ---------------------------(end of broadcast)---------------------------
> TIP 4: Have you searched our list archives?
>
> http://archives.postgresql.org

--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://postgres.enterprisedb.com

+ If your life is a hard drive, Christ can be your backup. +