Add hba parameter include_realm to krb5, gss and sspi authentication, used
to pass the full username@realm string to the authentication instead of just the username. This makes it possible to use pg_ident.conf to authenticate users from multiple realms as different database users.
This commit is contained in:
Magnus Hagander
parent
32c469d7b1
commit
b09f930d2e
@ -1,4 +1,4 @@
|
||||
<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.116 2009/01/07 12:38:10 mha Exp $ -->
|
||||
<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.117 2009/01/07 13:09:21 mha Exp $ -->
|
||||
|
||||
<chapter id="client-authentication">
|
||||
<title>Client Authentication</title>
|
||||
@ -785,6 +785,18 @@ omicron bryanh guest1
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>include_realm</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Include the realm name from the authenticated user principal. This is useful
|
||||
in combination with Username maps (See <xref linkend="auth-username-maps">
|
||||
for details), especially with regular expressions, to map users from
|
||||
multiple realms.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>krb_realm</term>
|
||||
<listitem>
|
||||
@ -846,6 +858,18 @@ omicron bryanh guest1
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>include_realm</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Include the realm name from the authenticated user principal. This is useful
|
||||
in combination with Username maps (See <xref linkend="auth-username-maps">
|
||||
for details), especially with regular expressions, to map users from
|
||||
multiple realms.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>krb_realm</term>
|
||||
<listitem>
|
||||
|
||||
@ -8,7 +8,7 @@
|
||||
*
|
||||
*
|
||||
* IDENTIFICATION
|
||||
* $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.176 2009/01/07 12:38:11 mha Exp $
|
||||
* $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.177 2009/01/07 13:09:21 mha Exp $
|
||||
*
|
||||
*-------------------------------------------------------------------------
|
||||
*/
|
||||
@ -748,7 +748,13 @@ pg_krb5_recvauth(Port *port)
|
||||
cp = strchr(kusername, '@');
|
||||
if (cp)
|
||||
{
|
||||
*cp = '\0';
|
||||
/*
|
||||
* If we are not going to include the realm in the username that is passed
|
||||
* to the ident map, destructively modify it here to remove the realm. Then
|
||||
* advance past the separator to check the realm.
|
||||
*/
|
||||
if (!port->hba->include_realm)
|
||||
*cp = '\0';
|
||||
cp++;
|
||||
|
||||
if (realmmatch != NULL && strlen(realmmatch))
|
||||
@ -1040,7 +1046,13 @@ pg_GSS_recvauth(Port *port)
|
||||
{
|
||||
char *cp = strchr(gbuf.value, '@');
|
||||
|
||||
*cp = '\0';
|
||||
/*
|
||||
* If we are not going to include the realm in the username that is passed
|
||||
* to the ident map, destructively modify it here to remove the realm. Then
|
||||
* advance past the separator to check the realm.
|
||||
*/
|
||||
if (!port->hba->include_realm)
|
||||
*cp = '\0';
|
||||
cp++;
|
||||
|
||||
if (realmmatch != NULL && strlen(realmmatch))
|
||||
@ -1361,8 +1373,22 @@ pg_SSPI_recvauth(Port *port)
|
||||
/*
|
||||
* We have the username (without domain/realm) in accountname, compare to
|
||||
* the supplied value. In SSPI, always compare case insensitive.
|
||||
*
|
||||
* If set to include realm, append it in <username>@<realm> format.
|
||||
*/
|
||||
return check_usermap(port->hba->usermap, port->user_name, accountname, true);
|
||||
if (port->hba->include_realm)
|
||||
{
|
||||
char *namebuf;
|
||||
int retval;
|
||||
|
||||
namebuf = palloc(strlen(accountname) + strlen(domainname) + 2);
|
||||
sprintf(namebuf, "%s@%s", accountname, domainname);
|
||||
retval = check_usermap(port->hba->usermap, port->user_name, namebuf, true);
|
||||
pfree(namebuf);
|
||||
return retval;
|
||||
}
|
||||
else
|
||||
return check_usermap(port->hba->usermap, port->user_name, accountname, true);
|
||||
}
|
||||
#endif /* ENABLE_SSPI */
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@
|
||||
*
|
||||
*
|
||||
* IDENTIFICATION
|
||||
* $PostgreSQL: pgsql/src/backend/libpq/hba.c,v 1.179 2009/01/07 12:38:11 mha Exp $
|
||||
* $PostgreSQL: pgsql/src/backend/libpq/hba.c,v 1.180 2009/01/07 13:09:21 mha Exp $
|
||||
*
|
||||
*-------------------------------------------------------------------------
|
||||
*/
|
||||
@ -1053,6 +1053,17 @@ parse_hba_line(List *line, int line_num, HbaLine *parsedline)
|
||||
INVALID_AUTH_OPTION("krb_realm", "krb5, gssapi and sspi");
|
||||
parsedline->krb_realm = pstrdup(c);
|
||||
}
|
||||
else if (strcmp(token, "include_realm") == 0)
|
||||
{
|
||||
if (parsedline->auth_method != uaKrb5 &&
|
||||
parsedline->auth_method != uaGSS &&
|
||||
parsedline->auth_method != uaSSPI)
|
||||
INVALID_AUTH_OPTION("include_realm", "krb5, gssapi and sspi");
|
||||
if (strcmp(c, "1") == 0)
|
||||
parsedline->include_realm = true;
|
||||
else
|
||||
parsedline->include_realm = false;
|
||||
}
|
||||
else
|
||||
{
|
||||
ereport(LOG,
|
||||
|
||||
@ -4,7 +4,7 @@
|
||||
* Interface to hba.c
|
||||
*
|
||||
*
|
||||
* $PostgreSQL: pgsql/src/include/libpq/hba.h,v 1.54 2009/01/07 12:38:11 mha Exp $
|
||||
* $PostgreSQL: pgsql/src/include/libpq/hba.h,v 1.55 2009/01/07 13:09:21 mha Exp $
|
||||
*
|
||||
*-------------------------------------------------------------------------
|
||||
*/
|
||||
@ -58,6 +58,7 @@ typedef struct
|
||||
bool clientcert;
|
||||
char *krb_server_hostname;
|
||||
char *krb_realm;
|
||||
bool include_realm;
|
||||
} HbaLine;
|
||||
|
||||
typedef struct Port hbaPort;
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user