Updated description added.

Your patch has been added to the PostgreSQL unapplied patches list at:

        http://momjian.postgresql.org/cgi-bin/pgpatches

It will be applied as soon as one of the PostgreSQL committers reviews
and approves it.

---------------------------------------------------------------------------


Todd Kover wrote:
> 
>  > >> Why is this necessary?
>  > 
>  > > It's largely useful in combination with restricting the interfaces
>  > > listened to via the listen_addresses directive in the config file.  As
>  > > the code works now you can only connect via kerberos with a service
>  > > principal derived from the hostname of the box rather than any dns name
>  > > associated with any of the box's interfaces.
>  > 
>  > Hmm.  I guess I was confusing this with the --with-krb-srvnam configure
>  > directive, and expecting that it ought to convert that from a
>  > frozen-at-configure value into a run-time-configuration variable.
>  > What is the relationship of these two values, anyway?
> 
> A service principal is often of the form something/[EMAIL PROTECTED], and
> by default in postgres, the "something" is postgres and as it is today,
> hostname is what gethostbyname() returns.
> 
> A complete service principal might be: postgres/[EMAIL PROTECTED]
> The --with-krb-srvname changes this.
>  
>  > The documentation additions are pretty poor in both proposed patches;
>  > they do nothing to clear up any confusion.
> 
> Indeed, if you're not familiar with kerberos conventions this won't make
> too much sense.  Actually, the use of 'srvname' is kind of confusing.  I
> originally thought the hostname was compiled in by default.
> 
> I'd imagine most people wouldn't want to change it and if they did it
> probably would be site wide.
> 
> Something like:
> 
>       sets the hostname that the postgres server will require to be
>       used for service principals. This is combined with the value
>       specified at configure time with --with-krb-srvnam (defaulting
>       to postgres).    Assuming the default of postgres, the service 
>       principal would be of the form postgres/[EMAIL PROTECTED]
> 
>       The default is to allow any service principal matching an entry
>       in the keytab
> 
> (or)
> 
>       The default is the hostname of the postgres server.
> 
> depending on which patch.  That would have cleared up the confusion for
> me, anyway.
> 
> -Todd
> 
> ---------------------------(end of broadcast)---------------------------
> TIP 5: Have you checked our extensive FAQ?
> 
>                http://www.postgresql.org/docs/faqs/FAQ.html
> 

-- 
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073

---------------------------(end of broadcast)---------------------------
TIP 1: subscribe and unsubscribe commands go to [EMAIL PROTECTED]

Reply via email to