On Sun, Jan 23, 2011 at 16:02, Christian Ullrich <ch...@chrullrich.net> wrote:
> * Christian Ullrich wrote:
>
>> Magnus Hagander wrote:
>
>>> On Mon, Jan 3, 2011 at 14:11, Christian Ullrich<ch...@chrullrich.net>
>>> wrote:
>
>>>> This change has been tested and works correctly on FreeBSD 8.1, using
>>>> the Kerberos and GSSAPI libraries from Heimdal 1.4. The server is
>>>> running PostgreSQL 9.0.2 on Windows 2008.
>
>>> Does this require some certain minimum version of the kerberos
>>> libraries? Do you know if it works with just Heimdal or both Heimdal
>>> and MIT?
>
>> it works with anything but the configuration I mentioned. I will do some
>> more testing this week, but I'm limited in the number of combinations I
>> can try; some randomly chosen Linux distributions with whatever Kerberos
>> they ship and the Heimdal from the FreeBSD 8 base system instead of the
>> port (if I can get PostgreSQL to build with that) against Windows 2003
>> and 2008 is probably going to be all I can offer. Expect a report early
>> next week.
>
> This is what I tested this week. If there are any additional questions,
> please let me know.
Thanks, this is exactly the kind of testing I was hoping for - or
rather, it's a lot more extensive than I was hoping for :)
However, i think the code path down around the error message is simply
incorrect. That #ifdef spaghetti is pretty hard to parse, but it gives
the wrong error message (we should say it's sspi that's not available
when we have none of the two options) and/or a "duplicate case label"
error, in some combinations of sspi/gssapi existing/notexisting.
Attached is an updated version of the patch that passes compiling on
all my systems in different combinations, including msvc. Can you
verify that it still works in your env? (you don't have to retest all
those platforms!)
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index 0d3cad0..7d2ef51 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -831,6 +831,10 @@ pg_fe_sendauth(AuthRequest areq, PGconn *conn)
#if defined(ENABLE_GSS) || defined(ENABLE_SSPI)
case AUTH_REQ_GSS:
+#if !defined(ENABLE_SSPI)
+ /* no native SSPI, so use GSSAPI library for it */
+ case AUTH_REQ_SSPI:
+#endif
{
int r;
@@ -888,13 +892,14 @@ pg_fe_sendauth(AuthRequest areq, PGconn *conn)
pgunlock_thread();
}
break;
-#else
+#else /* defined(ENABLE_GSS) || defined(ENABLE_SSPI) */
+ /* No GSSAPI *or* SSPI support */
case AUTH_REQ_GSS:
case AUTH_REQ_GSS_CONT:
printfPQExpBuffer(&conn->errorMessage,
libpq_gettext("GSSAPI authentication not supported\n"));
return STATUS_ERROR;
-#endif
+#endif /* defined(ENABLE_GSS) || defined(ENABLE_SSPI) */
#ifdef ENABLE_SSPI
case AUTH_REQ_SSPI:
@@ -914,11 +919,19 @@ pg_fe_sendauth(AuthRequest areq, PGconn *conn)
pgunlock_thread();
break;
#else
+ /*
+ * No SSPI support. However, if we have GSSAPI but not SSPI
+ * support, AUTH_REQ_SSPI will have been handled in the codepath
+ * for AUTH_REQ_GSSAPI above, so don't duplicate the case label
+ * in that case.
+ */
+#if !defined(ENABLE_GSS)
case AUTH_REQ_SSPI:
printfPQExpBuffer(&conn->errorMessage,
libpq_gettext("SSPI authentication not supported\n"));
return STATUS_ERROR;
-#endif
+#endif /* !define(ENABLE_GSSAPI) */
+#endif /* ENABLE_SSPI */
case AUTH_REQ_CRYPT:
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
