Thread: krb_match_realm patch

krb_match_realm patch

From

Stephen Frost

Date:

01 November 2007, 11:47:44

Greetings,
 Regarding Magnus' patch for matching against the Kerberos realm- I'd see it as much more useful as a multi-value
configurationoption. Perhaps 'krb_alt_realms' or 'krb_realms'.  This would look like: 
 Match against one, and only one, realm (does not have to be the realm the server is in, that's dealt with seperately):
krb_realms= 'ABC.COM' 
 Don't worry about the realm ever: krb_realms = '' # default, to match current krb5
 Match against multiple realms: krb_realms = 'ABC.COM, DEF.ABC.COM'
 Note that using multiple realms implies either no overlap, or that overlap means the same person.  Additionally, I
feelwe should have an explicit 'krb_strip_realm' boolean option to enable this behaviour.  If 'krb_strip_realm' is
'false'then the full user@REALM would be used.  This would mean that more complex cross-realm could also be handled by
creatingusers with user@REALM and then just roles when a given user exists in multiple realms.  I understand that we're
inbeta now but both of these are isolated and rather small changes, I believe.  Also, Magnus has indicated that he'd be
willingto adjust his patch accordingly if this is agreed to (please correct me if I'm wrong here :). 
     Thanks,
    Stephen

Re: krb_match_realm patch

From

Magnus Hagander

Date:

09 November 2007, 13:33:33

Stephen Frost wrote:
> Greetings,
> 
>   Regarding Magnus' patch for matching against the Kerberos realm- I'd
>   see it as much more useful as a multi-value configuration option.
>   Perhaps 'krb_alt_realms' or 'krb_realms'.  This would look like:
> 
>   Match against one, and only one, realm (does not have to be the realm
>   the server is in, that's dealt with seperately):
>   krb_realms = 'ABC.COM'
> 
>   Don't worry about the realm ever:
>   krb_realms = '' # default, to match current krb5
> 
>   Match against multiple realms:
>   krb_realms = 'ABC.COM, DEF.ABC.COM'
> 
>   Note that using multiple realms implies either no overlap, or that
>   overlap means the same person.
>   
>   Additionally, I feel we should have an explicit 'krb_strip_realm'
>   boolean option to enable this behaviour.  If 'krb_strip_realm' is
>   'false' then the full user@REALM would be used.  This would mean that
>   more complex cross-realm could also be handled by creating users with
>   user@REALM and then just roles when a given user exists in multiple
>   realms.
>   
>   I understand that we're in beta now but both of these are isolated and
>   rather small changes, I believe.  Also, Magnus has indicated that he'd
>   be willing to adjust his patch accordingly if this is agreed to
>   (please correct me if I'm wrong here :).

I've committed the patch as it was without this, because that's still
better than what we have now.

Just for the record, I've indicated that I'm willing to add the
multi-realm match part of that, but I'm not sure we want to dig into the
"krb_strip_realm" stuff this late in the cycle. At least unless someone
can confirm that we won't have issues *elswhere* from passing in very
long usernames in what I believe is not entirely specified formats.

I will try to work on the multi-realm stuff next week, unless someone
wants to beat me to it...

//Magnus

Re: krb_match_realm patch

From

Bruce Momjian

Date:

17 March 2008, 15:36:57

Added to TODO:
       o Allow Kerberos to disable stripping of realms so we can         check the username@realm against multiple
realms
         http://archives.postgresql.org/pgsql-hackers/2007-11/msg00009.php


---------------------------------------------------------------------------

Magnus Hagander wrote:
> Stephen Frost wrote:
> > Greetings,
> > 
> >   Regarding Magnus' patch for matching against the Kerberos realm- I'd
> >   see it as much more useful as a multi-value configuration option.
> >   Perhaps 'krb_alt_realms' or 'krb_realms'.  This would look like:
> > 
> >   Match against one, and only one, realm (does not have to be the realm
> >   the server is in, that's dealt with seperately):
> >   krb_realms = 'ABC.COM'
> > 
> >   Don't worry about the realm ever:
> >   krb_realms = '' # default, to match current krb5
> > 
> >   Match against multiple realms:
> >   krb_realms = 'ABC.COM, DEF.ABC.COM'
> > 
> >   Note that using multiple realms implies either no overlap, or that
> >   overlap means the same person.
> >   
> >   Additionally, I feel we should have an explicit 'krb_strip_realm'
> >   boolean option to enable this behaviour.  If 'krb_strip_realm' is
> >   'false' then the full user@REALM would be used.  This would mean that
> >   more complex cross-realm could also be handled by creating users with
> >   user@REALM and then just roles when a given user exists in multiple
> >   realms.
> >   
> >   I understand that we're in beta now but both of these are isolated and
> >   rather small changes, I believe.  Also, Magnus has indicated that he'd
> >   be willing to adjust his patch accordingly if this is agreed to
> >   (please correct me if I'm wrong here :).
> 
> I've committed the patch as it was without this, because that's still
> better than what we have now.
> 
> Just for the record, I've indicated that I'm willing to add the
> multi-realm match part of that, but I'm not sure we want to dig into the
> "krb_strip_realm" stuff this late in the cycle. At least unless someone
> can confirm that we won't have issues *elswhere* from passing in very
> long usernames in what I believe is not entirely specified formats.
> 
> I will try to work on the multi-realm stuff next week, unless someone
> wants to beat me to it...
> 
> //Magnus
> 
> ---------------------------(end of broadcast)---------------------------
> TIP 4: Have you searched our list archives?
> 
>                http://archives.postgresql.org

--  Bruce Momjian  <bruce@momjian.us>        http://momjian.us EnterpriseDB
http://postgres.enterprisedb.com
 + If your life is a hard drive, Christ can be your backup. +