1
0
mirror of https://github.com/postgres/postgres.git synced 2025-07-28 23:42:10 +03:00

Allow kerberos name and username case sensitivity to be specified from

postgresql.conf.

---------------------------------------------------------------------------


Here's an updated version of the patch, with the following changes:

1) No longer uses "service name" as "application version". It's instead
hardcoded as "postgres". It could be argued that this part should be
backpatched to 8.0, but it doesn't make a big difference until you can
start changing it with GUC / connection parameters. This change only
affects kerberos 5, not 4.

2) Now downcases kerberos usernames when the client is running on win32.

3) Adds guc option for "krb_caseins_users" to make the server ignore
case mismatch which is required by some KDCs such as Active Directory.
Off by default, per discussion with Tom. This change only affects
kerberos 5, not 4.

4) Updated so it doesn't conflict with the rendevouz/bonjour patch
already in ;-)

Magnus Hagander
This commit is contained in:
Bruce Momjian
2005-06-04 20:42:43 +00:00
parent d995014fac
commit 72c53ac3a7
14 changed files with 167 additions and 52 deletions

View File

@ -1,5 +1,5 @@
<!--
$PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.79 2005/04/27 20:11:07 momjian Exp $
$PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.80 2005/06/04 20:42:41 momjian Exp $
-->
<chapter id="client-authentication">
@ -617,7 +617,7 @@ local db1,db2,@demodbs all md5
quite complex (yet powerful). The
<ulink url="http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html">
Kerberos <acronym>FAQ</></ulink> or
<ulink url="ftp://athena-dist.mit.edu">MIT Project Athena</ulink>
<ulink url="http://web.mit.edu/kerberos/www/">MIT Kerberos page</ulink>
can be a good starting point for exploration.
Several sources for <productname>Kerberos</> distributions exist.
</para>
@ -626,23 +626,29 @@ local db1,db2,@demodbs all md5
While <productname>PostgreSQL</> supports both Kerberos 4 and
Kerberos 5, only Kerberos 5 is recommended. Kerberos 4 is
considered insecure and no longer recommended for general
use.
</para>
<para>
In order to use <productname>Kerberos</>, support for it must be
enabled at build time. See <xref linkend="installation"> for more
information. Both Kerberos 4 and 5 are supported, but only one
version can be supported in any one build.
use. Only one version of Kerberos can be supported in any one
build, and support must be enabled at build time. See
<xref linkend="installation"> for more information.
</para>
<para>
<productname>PostgreSQL</> operates like a normal Kerberos service.
The name of the service principal is
<literal><replaceable>servicename</>/<replaceable>hostname</>@<replaceable>realm</></literal>, where
<replaceable>servicename</> is <literal>postgres</literal> (unless a
different service name was selected at configure time with
<literal>./configure --with-krb-srvnam=whatever</>).
<literal><replaceable>servicename</>/<replaceable>hostname</>@<replaceable>realm</></literal>.
</para>
<para>
<replaceable>servicename</> can be set on the server side using the
<xref linkend="guc-krb-srvname"> configuration parameter, and on the
client side using the krbsrvname connection parameter. (See also <xref linkend="libpq-connect">.). The installation default can be changed from the default
<literal>postgres</literal> at build time using
<literal>./configure --with-krb-srvnam=whatever</>). In most environments,
this parameter never needs to be changed. However, to support multiple
<productname>PostgreSQL</> installations on the same host it is necessary.
Some Kerberos implementations may also require a different service name,
such as Microsoft Active Directory which requires the service name
to be in uppercase (<literal>POSTGRES</literal>).
</para>
<para>
<replaceable>hostname</> is the fully qualified host name of the
server machine. The service principal's realm is the preferred realm
of the server machine.
@ -658,12 +664,12 @@ local db1,db2,@demodbs all md5
</para>
<para>
Make sure that your server key file is readable (and preferably
Make sure that your server keytab file is readable (and preferably
only readable) by the <productname>PostgreSQL</productname> server
account. (See also <xref linkend="postgres-user">.) The location
of the key file is specified by the <xref
linkend="guc-krb-server-keyfile"> configuration
parameter. (See also <xref linkend="runtime-config">.) The default
parameter. The default
is <filename>/etc/srvtab</> if you are using Kerberos 4 and
<filename>/usr/local/pgsql/etc/krb5.keytab</> (or whichever
directory was specified as <varname>sysconfdir</> at build time)
@ -671,12 +677,13 @@ local db1,db2,@demodbs all md5
</para>
<para>
To generate the keytab file, use for example (with version 5)
The keytab file is generated in the Kerberos system, see the
Kerberos documentation for details. The following example is
for MIT-compatible Kerberos 5 implementations:
<screen>
<prompt>kadmin% </><userinput>ank -randkey postgres/server.my.domain.org</>
<prompt>kadmin% </><userinput>ktadd -k krb5.keytab postgres/server.my.domain.org</>
</screen>
Read the <productname>Kerberos</> documentation for details.
</para>
<para>

View File

@ -1,4 +1,4 @@
<!-- $PostgreSQL: pgsql/doc/src/sgml/installation.sgml,v 1.233 2005/05/15 00:26:18 momjian Exp $ -->
<!-- $PostgreSQL: pgsql/doc/src/sgml/installation.sgml,v 1.234 2005/06/04 20:42:41 momjian Exp $ -->
<chapter id="installation">
<title><![%standalone-include[<productname>PostgreSQL</>]]>
@ -816,8 +816,8 @@ su - postgres
<term><option>--with-krb-srvnam=<replaceable>NAME</></option></term>
<listitem>
<para>
The name of the Kerberos service principal.
<literal>postgres</literal> is the default. There's probably no
The default name of the Kerberos service principal.
<literal>postgres</literal> is the default. There's usually no
reason to change this.
</para>
</listitem>

View File

@ -1,5 +1,5 @@
<!--
$PostgreSQL: pgsql/doc/src/sgml/libpq.sgml,v 1.181 2005/05/30 19:32:44 momjian Exp $
$PostgreSQL: pgsql/doc/src/sgml/libpq.sgml,v 1.182 2005/06/04 20:42:41 momjian Exp $
-->
<chapter id="libpq">
@ -279,6 +279,18 @@ PGconn *PQconnectdb(const char *conninfo);
</listitem>
</varlistentry>
<varlistentry>
<term><literal>krbsrvname</literal></term>
<listitem>
<para>
Kerberos service name to use when authenticating with Kerberos 4 or 5.
This must match the service name specified in the server
configuration for Kerberos authentication to succeed. (See also
<xref linkend="kerberos-auth">.)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>service</literal></term>
<listitem>
@ -3770,6 +3782,15 @@ setting, and is only available if
</listitem>
<listitem>
<para>
<indexterm>
<primary><envar>PGKRBSRVNAME</envar></primary>
</indexterm>
<envar>PGKRBSRVNAME</envar> sets the Kerberos service name to use when
authenticating with Kerberos 4 or 5.
</para>
</listitem>
<listitem>
<para>
<indexterm>
<primary><envar>PGCONNECT_TIMEOUT</envar></primary>
</indexterm>

View File

@ -1,5 +1,5 @@
<!--
$PostgreSQL: pgsql/doc/src/sgml/runtime.sgml,v 1.321 2005/05/25 02:56:15 neilc Exp $
$PostgreSQL: pgsql/doc/src/sgml/runtime.sgml,v 1.322 2005/06/04 20:42:41 momjian Exp $
-->
<chapter Id="runtime">
@ -955,11 +955,39 @@ SET ENABLE_SEQSCAN TO OFF;
<listitem>
<para>
Sets the location of the Kerberos server key file. See
<xref linkend="kerberos-auth"> for details.
<xref linkend="kerberos-auth"> for details. This parameter
can only be set at server start.
</para>
</listitem>
</varlistentry>
<varlistentry id="guc-krb-srvname" xreflabel="krb_srvname">
<term><varname>krb_srvname</varname> (<type>string</type>)</term>
<indexterm>
<primary><varname>krb_srvname</> configuration parameter</primary>
</indexterm>
<listitem>
<para>
Sets the Kerberos service name. See <xref linkend="kerberos-auth">
for details. This parameter can only be set at server start.
</para>
</listitem>
</varlistentry>
<varlistentry id="guc-krb-caseins-users" xreflabel="krb_caseins_users">
<term><varname>krb_caseins_users</varname> (<type>boolean</type>)</term>
<indexterm>
<primary><varname>krb_caseins_users</varname> configuration parameter</primary>
</indexterm>
<listitem>
<para>
Sets if Kerberos usernames should be treated case-insensitive.
The default is off (case sensitive). This parameter can only be
set at server start.
</para>
</listitem>
</varlistentry>
<varlistentry id="guc-db-user-namespace" xreflabel="db_user_namespace">
<term><varname>db_user_namespace</varname> (<type>boolean</type>)</term>
<indexterm>