* Henry B. Hotz ([EMAIL PROTECTED]) wrote: > What the krb5 method does is IMO a documented bug. The realm name is part > of the name. > > As I explained at some length you cannot assume the username (first > component of the principal) has any meaning by itself, except in small > deployments with no external trust agreements. Kerberos (and AD) are > designed to support larger infrastructures with multiple organizations.
This isn't unexpected for PG as the current krb5 support does this. I'm not a big fan of it but at the same time I don't feel it's justification to drop it from 8.3. Having it only allow the default realm would be an option which could work in 8.3, imv. Longer term (since it's likely too late to be accepted now), as I think has been discussed in the past, PG could really use a .k5login-esque, either admin-only (ala pg_hba.conf / ident map) or per-user (some sort of ALTER ROLE that a user could do on himself?), mapping functionality. It doesn't strike me as terribly complex or hard to do but it certainly goes beyond the what is currently implemented for GSS in 8.3, and what exists currently for krb5. It's also something which could, technically, be added later. I do think it would be better done now though, if possible, since otherwise we would have to default to the current sub-par behaviour for quite some time (if not forever). Thanks, Stephen
Description: Digital signature