Magnus Hagander wrote:
> > I have developed the attached patch, which documents the inability to
> > use MD5 with db_user_namespace, and throws an error when it is used:
> >
> > psql: FATAL: MD5 authentication is not supported when
> > "db_user_namespace" is enabled
>
> IMHO it would be much nicer to detect this when we load pg_hba.conf.
> It's easy to do these days :-P
>
> I don't think we need to worry about the "changed postgresql.conf after
> we changed pg_hba.conf" that much, because we'll always reload
> pg_hba.conf after the main config file.
>
> I'd still leave the runtime check in as well to handle the "loaded one
> but not the other" case, but let's try prevent the user from loading the
> broken config file in the first place..
[ Thread moved to hackers. ]
OK, updated patch attached.
--
Bruce Momjian <[EMAIL PROTECTED]> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ If your life is a hard drive, Christ can be your backup. +
Index: doc/src/sgml/config.sgml
===================================================================
RCS file: /cvsroot/pgsql/doc/src/sgml/config.sgml,v
retrieving revision 1.195
diff -c -c -r1.195 config.sgml
*** doc/src/sgml/config.sgml 11 Nov 2008 02:42:31 -0000 1.195
--- doc/src/sgml/config.sgml 11 Nov 2008 18:49:05 -0000
***************
*** 706,711 ****
--- 706,720 ----
before the user name is looked up by the server.
</para>
+ <para>
+ Keep in mind all authentication checks are done with
+ the server's representation of the user name, not the client's.
+ Because of this, <literal>MD5</> authentication will not work
+ when <literal>db_user_namespace</> is enabled because the
+ client and server have different representations of the user
+ name.
+ </para>
+
<note>
<para>
This feature is intended as a temporary measure until a
Index: src/backend/libpq/auth.c
===================================================================
RCS file: /cvsroot/pgsql/src/backend/libpq/auth.c,v
retrieving revision 1.170
diff -c -c -r1.170 auth.c
*** src/backend/libpq/auth.c 28 Oct 2008 12:10:43 -0000 1.170
--- src/backend/libpq/auth.c 11 Nov 2008 18:49:06 -0000
***************
*** 368,373 ****
--- 368,377 ----
break;
case uaMD5:
+ if (Db_user_namespace)
+ ereport(FATAL,
+ (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
+ errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled")));
sendAuthRequest(port, AUTH_REQ_MD5);
status = recv_and_check_password_packet(port);
break;
Index: src/backend/libpq/hba.c
===================================================================
RCS file: /cvsroot/pgsql/src/backend/libpq/hba.c,v
retrieving revision 1.172
diff -c -c -r1.172 hba.c
*** src/backend/libpq/hba.c 28 Oct 2008 12:10:43 -0000 1.172
--- src/backend/libpq/hba.c 11 Nov 2008 18:49:06 -0000
***************
*** 846,852 ****
--- 846,861 ----
else if (strcmp(token, "reject") == 0)
parsedline->auth_method = uaReject;
else if (strcmp(token, "md5") == 0)
+ {
+ if (Db_user_namespace)
+ {
+ ereport(LOG,
+ (errcode(ERRCODE_CONFIG_FILE_ERROR),
+ errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled")));
+ return false;
+ }
parsedline->auth_method = uaMD5;
+ }
else if (strcmp(token, "pam") == 0)
#ifdef USE_PAM
parsedline->auth_method = uaPAM;
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
