The current implementation of the kerberos 5 authentification in backend/libpq/auth.c truncates the principal after the first '/' or failing that, after the first '@', assuming the result to be the database username. This implicitly allows crossrealm autentification which is not good in many instances. Even more seriously, it discards parts following any '/' which is definatelly very bad in many instances.
This is not satisfactory for some (I would think most) applications. A solution to this would be mapping kerberos principals to usernames in the database. (As e.g ~username/.k5login determines which principals are authorized to login as username.) Idealy this mapping table should be a system table in the database (and not a specialized file like the current implementation of pg_ident.conf). Is this a stupid idea? Any comments? I do have a few my questions regarding an implementation of this. Is there any existing way of making queries from postmaster (other than setting up a client connection from it)? Is there a reason pg_ident.conf and pg_hba.conf are files rather than tables? Is there any reason not doing authentification of both the client and the server? Grateful for answers and comments Daniel __________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com ---------------------------(end of broadcast)--------------------------- TIP 3: if posting/reading through Usenet, please send an appropriate subscribe-nomail command to [EMAIL PROTECTED] so that your message can get through to the mailing list cleanly