Tom Lane wrote: > Magnus Hagander <[EMAIL PROTECTED]> writes: >> Stephen Frost wrote: >>> That's true, but if we used upper-case with something NEW (SSPI) while >>> keeping it the same for the OLD (KRB5, and I'd vote GSSAPI) then we're >>> not breaking backwards compatibility while also catering to the masses. >>> I guess I don't see too many people using SSPI w/ an MIT KDC, and it >>> wasn't possible previously anyway. >>> >>> What do you think? > >> Hmm. It makes the default a lot less clear, and opens up for confusion. >> So I'm not so sure I like it :-) > > A non-backward-compatible behavior change is going to cause a lot of > confusion too.
Yeah. > If I have things straight (and I'm not sure I do) then we are treating > sspi as a different type of auth method. It would be sane, or at least > explainable, to have a different default name for the different auth > method. I think a platform-dependent default would seriously suck, > and changing the default behavior for existing configurations would > break things. So Stephen's suggestion seemed plausible to me. We use SSPI *both* as a protocol (windows talking to windows) and as an API to go GSSAPI authentication (windows talking to unix, or windows talking to windows with extra mit krb libraries). Now, we can have two different defaults both for SSPI, but that's just going to be too confusing I think. It's better to just keep the default at "postgres" in that case, and tell people that if they use AD as their KDC, they need to change it. SSPI windows to windows will actually work without doing that, because it will fallback to NTLM authentication if it's wrong. Windows to Unix will not. //Magnus ---------------------------(end of broadcast)--------------------------- TIP 4: Have you searched our list archives? http://archives.postgresql.org