postgres

Author	SHA1	Message	Date
Heikki Linnakangas	bd62a211b5	Raise the maximum authentication token (Kerberos ticket) size in GSSAPI and SSPI athentication methods. While the old 2000 byte limit was more than enough for Unix Kerberos implementations, tickets issued by Windows Domain Controllers can be much larger. Ian Turner	2009-10-14 07:27:27 +00:00
Magnus Hagander	6c4637a3b3	Disallow empty passwords in LDAP authentication, the same way we already do it for PAM.	2009-06-25 11:30:08 +00:00
Bruce Momjian	d747140279	8.4 pgindent run, with new combined Linux/FreeBSD/MinGW typedef list provided by Andrew.	2009-06-11 14:49:15 +00:00
Magnus Hagander	b1c2781951	Properly return the usermap result when doing gssapi authentication. Without this, the username was in practice never matched against the kerberos principal used to log in.	2009-05-27 21:08:22 +00:00
Tom Lane	7cdfa488c7	Remove last references to the crypt auth method, per Andreas Scherbaum.	2009-04-01 03:23:50 +00:00
Tom Lane	727ffa1d1e	Clean up pg_SSPI_error() coding a little bit: make the messages more consistent, translate where intended, const-ify declarations. Resolves a gripe from Alvaro as well as some stuff I didn't like.	2009-03-22 18:06:35 +00:00
Magnus Hagander	1b4e729eaa	Make krb_realm and krb_server_hostname be pg_hba options only, and remove their GUCs. In passing, noted that the pg_hba options for krb5 authentication weren't listed at all - so add this.	2009-01-09 10:13:19 +00:00
Magnus Hagander	b09f930d2e	Add hba parameter include_realm to krb5, gss and sspi authentication, used to pass the full username@realm string to the authentication instead of just the username. This makes it possible to use pg_ident.conf to authenticate users from multiple realms as different database users.	2009-01-07 13:09:21 +00:00
Magnus Hagander	32c469d7b1	Allow krb_realm (krb5, gssapi and sspi) and krb_server_hostname (krb5 only) authentication options to be set in pg_hba.conf on a per-line basis, to override the defaults set in postgresql.conf.	2009-01-07 12:38:11 +00:00
Bruce Momjian	511db38ace	Update copyright for 2009.	2009-01-01 17:24:05 +00:00
Bruce Momjian	170b66a0c5	Issue a proper error message when MD5 is attempted when db_user_namespace is enabled. Also document this limitation.	2008-11-20 20:45:30 +00:00
Magnus Hagander	f179d5ea99	Add support for using SSL client certificates to authenticate to the database (only for SSL connections, obviously).	2008-11-20 11:48:26 +00:00
Magnus Hagander	3c486fbd1c	Control client certificate requesting with the pg_hba option "clientcert" instead of just relying on the root certificate file to be present.	2008-11-20 09:29:36 +00:00
Peter Eisentraut	f426fbf746	Ident authentication over Unix-domain sockets on Solaris, using getpeerucred() function. Author: Garick Hamlin <ghamlin@isc.upenn.edu>	2008-11-18 13:10:20 +00:00
Magnus Hagander	53a5026b5c	Remove support for (insecure) crypt authentication. This breaks compatibility with pre-7.2 versions.	2008-10-28 12:10:44 +00:00
Magnus Hagander	7356381ef5	* make pg_hba authoption be a set of 0 or more name=value pairs * make LDAP use this instead of the hacky previous method to specify the DN to bind as * make all auth options behave the same when they are not compiled into the server * rename "ident maps" to "user name maps", and support them for all auth methods that provide an external username This makes a backwards incompatible change in the format of pg_hba.conf for the ident, PAM and LDAP authentication methods.	2008-10-23 13:31:10 +00:00
Magnus Hagander	9872381090	Parse pg_hba.conf in postmaster, instead of once in each backend for each connection. This makes it possible to catch errors in the pg_hba file when it's being reloaded, instead of silently reloading a broken file and failing only when a user tries to connect. This patch also makes the "sameuser" argument to ident authentication optional.	2008-09-15 12:32:57 +00:00
Magnus Hagander	26e6991a2d	Rearrange the code in auth.c so that all functions for a single authentication method is grouped together in a reasonably similar way, keeping the "global shared functions" together in their own section as well. Makes it a lot easier to find your way around the code.	2008-08-01 11:41:12 +00:00
Magnus Hagander	c30c1b8786	Move ident authentication code into auth.c along with the other authenciation routines, leaving hba.c to deal only with processing the HBA specific files.	2008-08-01 09:09:49 +00:00
Tom Lane	94be06af76	Fix parsing of LDAP URLs so it doesn't reject spaces in the "suffix" part. Per report from César Miguel Oliveira Alves.	2008-07-24 17:51:55 +00:00
Tom Lane	81e770857d	Since GSSAPI and SSPI authentication don't work in protocol version 2, issue a helpful error message instead of sending unparsable garbage. (It is clearly a design error that this doesn't work, but fixing it is not worth the trouble at this point.) Per discussion.	2008-02-08 17:58:46 +00:00
Tom Lane	b58d8c9a53	Don't putenv() a string that is allocated in a context that will go away soon. I suspect this explains bug #3902, though I'm still not able to reproduce that.	2008-01-30 04:11:19 +00:00
Bruce Momjian	9098ab9e32	Update copyrights in source tree to 2008.	2008-01-01 19:46:01 +00:00
Peter Eisentraut	178c78c79f	Fix typo	2007-11-28 13:30:16 +00:00
Peter Eisentraut	542d04e179	correct capitalization	2007-11-27 12:17:27 +00:00
Bruce Momjian	fdf5a5efb7	pgindent run for 8.3.	2007-11-15 21:14:46 +00:00
Peter Eisentraut	166f67cebe	Message improvements	2007-11-15 20:04:38 +00:00
Magnus Hagander	4b606ee444	Add parameter krb_realm used by GSSAPI, SSPI and Kerberos to validate the realm of the connecting user. By default it's empty meaning no verification, which is the way Kerberos authentication has traditionally worked in PostgreSQL.	2007-11-09 17:31:07 +00:00
Bruce Momjian	7f9de5407a	Fix GSS API pointer checking. Kris Jurka	2007-09-14 15:58:02 +00:00
Magnus Hagander	d602592494	Make it possible, and default, for MingW to build with SSPI support by dynamically loading the function that's missing from the MingW headers and library.	2007-07-24 09:00:27 +00:00
Magnus Hagander	f70866fb23	SSPI authentication on Windows. GSSAPI compatible client when doing Kerberos against a Unix server, and Windows-specific server-side authentication using SSPI "negotiate" method (Kerberos or NTLM). Only builds properly with MSVC for now.	2007-07-23 10:16:54 +00:00
Tom Lane	72c7badbab	Fix some warnings (probably actual bugs) generated by new GSSAPI code when built on a 64-bit machine. Per buildfarm results extracted by Stefan.	2007-07-12 20:36:11 +00:00
Magnus Hagander	784fd04940	Enable GSSAPI to build using MSVC. Always build GSSAPI when Kerberos is enabled, because the only Kerberos library supported always contains it.	2007-07-12 14:43:21 +00:00
Magnus Hagander	65a513c249	Support GSSAPI builds where the header is <gssapi.h> and not <gssapi/gssapi.h>, such as OpenBSD (possibly all Heimdal). Stefan Kaltenbrunner	2007-07-12 14:36:52 +00:00
Magnus Hagander	31013db0a1	A bunch of GSSAPI fixes per comments from Tom: * use elog not ereport for debug * fix debug levels for some output * properly check for memory allocation errors in a couple of missed places	2007-07-11 08:27:33 +00:00
Magnus Hagander	6160106c74	Add support for GSSAPI authentication. Documentation still being written, will be committed later. Henry B. Hotz and Magnus Hagander	2007-07-10 13:14:22 +00:00
Bruce Momjian	fe03a5f4ae	Check if the role exists before doing more complex ident and Kerberos authentication checks in the backend. Gavin Sherry	2007-02-08 04:52:18 +00:00
Bruce Momjian	29dccf5fe0	Update CVS HEAD for 2007 copyright. Back branches are typically not back-stamped for this.	2007-01-05 22:20:05 +00:00
Neil Conway	62fe410ec6	Minor fix for LDAP authentication: if an error occurs, we need to manually release the LDAP handle via ldap_unbind(). This isn't a significant problem in practice because an error eventually results in exiting the process, but we can cleanup correctly without too much pain. In passing, fix an error in snprintf() usage: the "size" parameter to snprintf() is the size of the destination buffer, including space for the NUL terminator. Also, depending on the value of NAMEDATALEN, the old coding could have allowed for a buffer overflow.	2006-11-06 01:27:52 +00:00
Peter Eisentraut	b9b4f10b5b	Message style improvements	2006-10-06 17:14:01 +00:00
Bruce Momjian	f99a569a2e	pgindent run for 8.2.	2006-10-04 00:30:14 +00:00
Bruce Momjian	45c8ed96b9	Make some sentences consistent with similar ones. Euler Taveira de Oliveira	2006-10-03 21:21:36 +00:00
Tom Lane	0b52204f0d	Remove WINLDAPAPI decoration from ldap_start_tls_sA typedef, per Magnus.	2006-09-15 21:28:08 +00:00
Tom Lane	daebd5257c	Ooops, ldap fix for win32 broke the non-win32 case.	2006-08-22 02:23:45 +00:00
Tom Lane	5405576a22	Fix encrypted-LDAP support so that it doesn't cause the server to fail entirely on older Windows platforms without the needed library function. Magnus Hagander	2006-08-21 19:21:38 +00:00
Bruce Momjian	e0522505bd	Remove 576 references of include files that were not needed.	2006-07-14 14:52:27 +00:00
Tom Lane	ae643747b1	Fix a passel of recently-committed violations of the rule 'thou shalt have no other gods before c.h'. Also remove some demonstrably redundant #include lines, mostly of <errno.h> which was added to c.h years ago.	2006-07-14 05:28:29 +00:00
Bruce Momjian	a22d76d96a	Allow include files to compile own their own. Strip unused include files out unused include files, and add needed includes to C files. The next step is to remove unused include files in C files.	2006-07-13 16:49:20 +00:00
Tom Lane	92f5bfcc0f	Fix invalid use of #if within a macro, per Laurenz Albe. Also try to make the LDAP code's error messages look like they were written by someone who had heard of our style guidelines.	2006-03-16 18:11:17 +00:00
Bruce Momjian	357cc01e57	This patch adds native LDAP auth, for those platforms that don't have PAM (such as Win32, but also unixen without PAM). On Unix, uses OpenLDAP. On win32, uses the builin WinLDAP library. Magnus Hagander	2006-03-06 17:41:44 +00:00

1 2 3 4

184 Commits