Henry B. Hotz wrote: > Thank you very much. This helps, but I'm still evaluating how much. > > I *can* point at one problem though: you do a strchr(gbuf.value, '@') > and then error out if there isn't a Kerberos realm there. In fact that > is exactly the default username of at least one of the GSSAPI > implementations I've tested if the realm is the same as the local > default realm.
Eh, so how do we then determine the difference between local realm and no realm given? > I'm not entirely sure what the intended semantics of krb_match_realm > are, but if you're trying to match the GSSAPI-authenticated name against > "value_of(PGUSER)@value_of(krb_match_realm)" then you need to construct > that string, gss_import_name() it, and then gss_compare_name() the > imported name with the authenticated name that GSSAPI already gave you. > I know the API overhead of doing that is a PITA, but that's what's going > to work. Why? (FWIW, it works perfectly fine in my test setups, so I'd really like to know why this won't work) > I also notice you have some code to do case insensitive name matching. > I assume this is to take care of the fact that Microsoft Kerberos does > case insensitive name matching (contrary to the standard and the other > Kerberos implementations out there). I suspect issues there, but it > will be 3-6 months before I will have an environment where I can easily > test this. Most likely, the way to handle this is by figuring out what > case Microsoft uses for each name inside the protocol and then > pre-mapping to that case before feeding things to (non-Microsoft) GSSAPI. Yes, it's for supporting Active Directory. It's there in the same way it's there for krb5. > I don't regard the case mapping issues as serious. We may not have the > intended level of Windows/Unix compatibility, but I don't expect other > issues. In other words I'm not even going to think about it until it's > easy for me to investigate. Note that it's turned *off* by default, so it shouldn't even affect you. >> Attached patch implements krb_match_realm for krb5, gssapi and sspi per >> complaint from Henry. Comments welcome. >> >> Working on documentation which will of course be ready when it's >> committed :) >> >> Oh, and it changes the krb username handling to be the same as the >> gssapi one. I've never heard of anybody actually using the other version >> that it used to support, and the comment clearly states that it was >> broken for the really complex scenarios anyway - something nobody has >> complained about. > > Well, *I* complained about it. ;-) Um, not sure we're talking about the same thing. I know you complained about the inability to match realm, but did you complain about the inability to use things like full X.500 names as usernames? //Magnus ---------------------------(end of broadcast)--------------------------- TIP 6: explain analyze is your friend
