Here's the patch allowing for the parameter include_realm on
pg_hba.conf, that makes the authentication system pass the u...@realm
format username to the identmap, instead of stripping the realm. This
was the original reason for having regexp support in the ident maps..
The idea is to make it a lot easier to run with multiple kerberos realms
in the same installation. Hello Stephen :-)
Comments?
//Magnus
*** a/doc/src/sgml/client-auth.sgml
--- b/doc/src/sgml/client-auth.sgml
***************
*** 786,791 **** omicron bryanh guest1
--- 786,803 ----
</varlistentry>
<varlistentry>
+ <term>include_realm</term>
+ <listitem>
+ <para>
+ Include the realm name from the authenticated user principal. This is useful
+ in combination with Username maps (See <xref linkend="auth-username-maps">
+ for details), especially with regular expressions, to map users from
+ multiple realms.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>krb_realm</term>
<listitem>
<para>
***************
*** 847,852 **** omicron bryanh guest1
--- 859,876 ----
</varlistentry>
<varlistentry>
+ <term>include_realm</term>
+ <listitem>
+ <para>
+ Include the realm name from the authenticated user principal. This is useful
+ in combination with Username maps (See <xref linkend="auth-username-maps">
+ for details), especially with regular expressions, to map users from
+ multiple realms.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>krb_realm</term>
<listitem>
<para>
*** a/src/backend/libpq/auth.c
--- b/src/backend/libpq/auth.c
***************
*** 748,754 **** pg_krb5_recvauth(Port *port)
cp = strchr(kusername, '@');
if (cp)
{
! *cp = '\0';
cp++;
if (realmmatch != NULL && strlen(realmmatch))
--- 748,760 ----
cp = strchr(kusername, '@');
if (cp)
{
! /*
! * If we are not going to include the realm in the username that is passed
! * to the ident map, destructively modify it here to remove the realm. Then
! * advance past the separator to check the realm.
! */
! if (!port->hba->include_realm)
! *cp = '\0';
cp++;
if (realmmatch != NULL && strlen(realmmatch))
***************
*** 1040,1046 **** pg_GSS_recvauth(Port *port)
{
char *cp = strchr(gbuf.value, '@');
! *cp = '\0';
cp++;
if (realmmatch != NULL && strlen(realmmatch))
--- 1046,1058 ----
{
char *cp = strchr(gbuf.value, '@');
! /*
! * If we are not going to include the realm in the username that is passed
! * to the ident map, destructively modify it here to remove the realm. Then
! * advance past the separator to check the realm.
! */
! if (!port->hba->include_realm)
! *cp = '\0';
cp++;
if (realmmatch != NULL && strlen(realmmatch))
***************
*** 1361,1368 **** pg_SSPI_recvauth(Port *port)
/*
* We have the username (without domain/realm) in accountname, compare to
* the supplied value. In SSPI, always compare case insensitive.
*/
! return check_usermap(port->hba->usermap, port->user_name, accountname, true);
}
#endif /* ENABLE_SSPI */
--- 1373,1394 ----
/*
* We have the username (without domain/realm) in accountname, compare to
* the supplied value. In SSPI, always compare case insensitive.
+ *
+ * If set to include realm, append it in <username>@<realm> format.
*/
! if (port->hba->include_realm)
! {
! char *namebuf;
! int retval;
!
! namebuf = palloc(strlen(accountname) + strlen(domainname) + 2);
! sprintf(namebuf, "%...@%s", accountname, domainname);
! retval = check_usermap(port->hba->usermap, port->user_name, namebuf, true);
! pfree(namebuf);
! return retval;
! }
! else
! return check_usermap(port->hba->usermap, port->user_name, accountname, true);
}
#endif /* ENABLE_SSPI */
*** a/src/backend/libpq/hba.c
--- b/src/backend/libpq/hba.c
***************
*** 1055,1060 **** parse_hba_line(List *line, int line_num, HbaLine *parsedline)
--- 1055,1071 ----
INVALID_AUTH_OPTION("krb_realm", "krb5, gssapi and sspi");
parsedline->krb_realm = pstrdup(c);
}
+ else if (strcmp(token, "include_realm") == 0)
+ {
+ if (parsedline->auth_method != uaKrb5 &&
+ parsedline->auth_method != uaGSS &&
+ parsedline->auth_method != uaSSPI)
+ INVALID_AUTH_OPTION("include_realm", "krb5, gssapi and sspi");
+ if (strcmp(c, "1") == 0)
+ parsedline->include_realm = true;
+ else
+ parsedline->include_realm = false;
+ }
else
{
ereport(LOG,
*** a/src/include/libpq/hba.h
--- b/src/include/libpq/hba.h
***************
*** 58,63 **** typedef struct
--- 58,64 ----
bool clientcert;
char *krb_server_hostname;
char *krb_realm;
+ bool include_realm;
} HbaLine;
typedef struct Port hbaPort;
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
