mirror of
				https://github.com/postgres/postgres.git
				synced 2025-10-22 14:32:25 +03:00 
			
		
		
		
	Explicitly require MIT Kerberos for GSSAPI
WHen building with GSSAPI support, explicitly require MIT Kerberos and check for gssapi_ext.h in configure.ac and meson.build. Also add documentation explicitly stating that we now require MIT Kerberos when building with GSSAPI support. Reveiwed by: Johnathan Katz Discussion: https://postgr.es/m/abcc73d0-acf7-6896-e0dc-f5bc12a61bb1@postgresql.org
This commit is contained in:
		
							
								
								
									
										27
									
								
								configure
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										27
									
								
								configure
									
									
									
									
										vendored
									
									
								
							| @@ -14104,6 +14104,33 @@ done | ||||
|  | ||||
| fi | ||||
|  | ||||
| done | ||||
|  | ||||
|   for ac_header in gssapi/gssapi_ext.h | ||||
| do : | ||||
|   ac_fn_c_check_header_mongrel "$LINENO" "gssapi/gssapi_ext.h" "ac_cv_header_gssapi_gssapi_ext_h" "$ac_includes_default" | ||||
| if test "x$ac_cv_header_gssapi_gssapi_ext_h" = xyes; then : | ||||
|   cat >>confdefs.h <<_ACEOF | ||||
| #define HAVE_GSSAPI_GSSAPI_EXT_H 1 | ||||
| _ACEOF | ||||
|  | ||||
| else | ||||
|   for ac_header in gssapi_ext.h | ||||
| do : | ||||
|   ac_fn_c_check_header_mongrel "$LINENO" "gssapi_ext.h" "ac_cv_header_gssapi_ext_h" "$ac_includes_default" | ||||
| if test "x$ac_cv_header_gssapi_ext_h" = xyes; then : | ||||
|   cat >>confdefs.h <<_ACEOF | ||||
| #define HAVE_GSSAPI_EXT_H 1 | ||||
| _ACEOF | ||||
|  | ||||
| else | ||||
|   as_fn_error $? "gssapi_ext.h header file is required for GSSAPI" "$LINENO" 5 | ||||
| fi | ||||
|  | ||||
| done | ||||
|  | ||||
| fi | ||||
|  | ||||
| done | ||||
|  | ||||
| fi | ||||
|   | ||||
| @@ -1562,6 +1562,8 @@ fi | ||||
| if test "$with_gssapi" = yes ; then | ||||
|   AC_CHECK_HEADERS(gssapi/gssapi.h, [], | ||||
| 	[AC_CHECK_HEADERS(gssapi.h, [], [AC_MSG_ERROR([gssapi.h header file is required for GSSAPI])])]) | ||||
|   AC_CHECK_HEADERS(gssapi/gssapi_ext.h, [], | ||||
| 	[AC_CHECK_HEADERS(gssapi_ext.h, [], [AC_MSG_ERROR([gssapi_ext.h header file is required for GSSAPI])])]) | ||||
| fi | ||||
|  | ||||
| PGAC_PATH_PROGS(OPENSSL, openssl) | ||||
|   | ||||
| @@ -1426,7 +1426,7 @@ omicron         bryanh                  guest1 | ||||
|     The keytab file is generated using the Kerberos software; see the | ||||
|     Kerberos documentation for details. The following example shows | ||||
|     doing this using the <application>kadmin</application> tool of | ||||
|     MIT-compatible Kerberos 5 implementations: | ||||
|     MIT Kerberos: | ||||
| <screen> | ||||
| <prompt>kadmin% </prompt><userinput>addprinc -randkey postgres/server.my.domain.org</userinput> | ||||
| <prompt>kadmin% </prompt><userinput>ktadd -k krb5.keytab postgres/server.my.domain.org</userinput> | ||||
|   | ||||
| @@ -252,9 +252,9 @@ documentation.  See standalone-profile.xsl for details. | ||||
|  | ||||
|     <listitem> | ||||
|      <para> | ||||
|       You need <application>Kerberos</application>, <productname>OpenLDAP</productname>, | ||||
|       and/or <application>PAM</application>, if you want to support authentication | ||||
|       using those services. | ||||
|       You need <application>MIT Kerberos</application> (for GSSAPI), | ||||
|       <productname>OpenLDAP</productname>, and/or <application>PAM</application>, | ||||
|       if you want to support authentication using those services. | ||||
|      </para> | ||||
|     </listitem> | ||||
|  | ||||
| @@ -1048,9 +1048,9 @@ build-postgresql: | ||||
|        <term><option>--with-gssapi</option></term> | ||||
|        <listitem> | ||||
|         <para> | ||||
|          Build with support for GSSAPI authentication. On many systems, the | ||||
|          GSSAPI system (usually a part of the Kerberos installation) is not | ||||
|          installed in a location | ||||
|          Build with support for GSSAPI authentication. MIT Kerberos is required | ||||
|          to be installed for GSSAPI.  On many systems, the GSSAPI system (a part | ||||
|          of the MIT Kerberos installation) is not installed in a location | ||||
|          that is searched by default (e.g., <filename>/usr/include</filename>, | ||||
|          <filename>/usr/lib</filename>), so you must use the options | ||||
|          <option>--with-includes</option> and <option>--with-libraries</option> in | ||||
| @@ -2497,10 +2497,11 @@ ninja install | ||||
|       <term><option>-Dgssapi={ auto | enabled | disabled }</option></term> | ||||
|       <listitem> | ||||
|        <para> | ||||
|         Build with support for GSSAPI authentication. On many systems, the | ||||
|         GSSAPI system (usually a part of the Kerberos installation) is not | ||||
|         installed in a location that is searched by default (e.g., | ||||
|         <filename>/usr/include</filename>, <filename>/usr/lib</filename>).  In | ||||
|         Build with support for GSSAPI authentication. MIT Kerberos is required | ||||
|         to be installed for GSSAPI.  On many systems, the GSSAPI system (a part | ||||
|         of the MIT Kerberos installation) is not installed in a location | ||||
|         that is searched by default (e.g., <filename>/usr/include</filename>, | ||||
|         <filename>/usr/lib</filename>).  In | ||||
|         those cases, PostgreSQL will query <command>pkg-config</command> to | ||||
|         detect the required compiler and linker options.  Defaults to auto. | ||||
|         <filename>meson configure</filename> will check for the required | ||||
|   | ||||
							
								
								
									
										10
									
								
								meson.build
									
									
									
									
									
								
							
							
						
						
									
										10
									
								
								meson.build
									
									
									
									
									
								
							| @@ -623,6 +623,16 @@ if not gssapiopt.disabled() | ||||
|     have_gssapi = false | ||||
|   endif | ||||
|  | ||||
|   if not have_gssapi | ||||
|   elif cc.check_header('gssapi/gssapi_ext.h', dependencies: gssapi, required: false, | ||||
|       args: test_c_args, include_directories: postgres_inc) | ||||
|     cdata.set('HAVE_GSSAPI_GSSAPI_EXT_H', 1) | ||||
|   elif cc.check_header('gssapi_ext.h', args: test_c_args, dependencies: gssapi, required: gssapiopt) | ||||
|     cdata.set('HAVE_GSSAPI_EXT_H', 1) | ||||
|   else | ||||
|     have_gssapi = false | ||||
|   endif | ||||
|  | ||||
|   if not have_gssapi | ||||
|   elif cc.has_function('gss_init_sec_context', dependencies: gssapi, | ||||
|       args: test_c_args, include_directories: postgres_inc) | ||||
|   | ||||
| @@ -922,8 +922,9 @@ pg_GSS_recvauth(Port *port) | ||||
| 	gss_cred_id_t delegated_creds; | ||||
|  | ||||
| 	/* | ||||
| 	 * Use the configured keytab, if there is one.  Unfortunately, Heimdal | ||||
| 	 * doesn't support the cred store extensions, so use the env var. | ||||
| 	 * Use the configured keytab, if there is one.  As we now require MIT | ||||
| 	 * Kerberos, we might consider using the credential store extensions in | ||||
| 	 * the future instead of the environment variable. | ||||
| 	 */ | ||||
| 	if (pg_krb_server_keyfile != NULL && pg_krb_server_keyfile[0] != '\0') | ||||
| 	{ | ||||
|   | ||||
| @@ -526,8 +526,9 @@ secure_open_gssapi(Port *port) | ||||
| 	PqGSSRecvLength = PqGSSResultLength = PqGSSResultNext = 0; | ||||
|  | ||||
| 	/* | ||||
| 	 * Use the configured keytab, if there is one.  Unfortunately, Heimdal | ||||
| 	 * doesn't support the cred store extensions, so use the env var. | ||||
| 	 * Use the configured keytab, if there is one.  As we now require MIT | ||||
| 	 * Kerberos, we might consider using the credential store extensions in the | ||||
| 	 * future instead of the environment variable. | ||||
| 	 */ | ||||
| 	if (pg_krb_server_keyfile != NULL && pg_krb_server_keyfile[0] != '\0') | ||||
| 	{ | ||||
|   | ||||
		Reference in New Issue
	
	Block a user