postgresql.conf.
---------------------------------------------------------------------------
Here's an updated version of the patch, with the following changes:
1) No longer uses "service name" as "application version". It's instead
hardcoded as "postgres". It could be argued that this part should be
backpatched to 8.0, but it doesn't make a big difference until you can
start changing it with GUC / connection parameters. This change only
affects kerberos 5, not 4.
2) Now downcases kerberos usernames when the client is running on win32.
3) Adds guc option for "krb_caseins_users" to make the server ignore
case mismatch which is required by some KDCs such as Active Directory.
Off by default, per discussion with Tom. This change only affects
kerberos 5, not 4.
4) Updated so it doesn't conflict with the rendevouz/bonjour patch
already in ;-)
Magnus Hagander
--with-python build Python modules (PL/Python)
--with-krb4 build with Kerberos 4 support
--with-krb5 build with Kerberos 5 support
- --with-krb-srvnam=NAME name of the service principal in Kerberos [postgres]
+ --with-krb-srvnam=NAME name of the default service principal in Kerberos [postgres]
--with-pam build with PAM support
--with-bonjour build with Bonjour support
--with-openssl build with OpenSSL support
# Kerberos configuration parameters
#
PGAC_ARG_REQ(with, krb-srvnam,
- [ --with-krb-srvnam=NAME name of the service principal in Kerberos [[postgres]]],
+ [ --with-krb-srvnam=NAME name of the default service principal in Kerberos [[postgres]]],
[],
[with_krb_srvnam="postgres"])
AC_DEFINE_UNQUOTED([PG_KRB_SRVNAM], ["$with_krb_srvnam"],
- [Define to the name of the PostgreSQL service principal in Kerberos. (--with-krb-srvnam=NAME)])
+ [Define to the name of the default PostgreSQL service principal in Kerberos. (--with-krb-srvnam=NAME)])
#
quite complex (yet powerful). The
<ulink url="http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html">
Kerberos <acronym>FAQ</></ulink> or
- <ulink url="ftp://athena-dist.mit.edu">MIT Project Athena</ulink>
+ <ulink url="http://web.mit.edu/kerberos/www/">MIT Kerberos page</ulink>
can be a good starting point for exploration.
Several sources for <productname>Kerberos</> distributions exist.
</para>
While <productname>PostgreSQL</> supports both Kerberos 4 and
Kerberos 5, only Kerberos 5 is recommended. Kerberos 4 is
considered insecure and no longer recommended for general
- use.
- </para>
-
- <para>
- In order to use <productname>Kerberos</>, support for it must be
- enabled at build time. See <xref linkend="installation"> for more
- information. Both Kerberos 4 and 5 are supported, but only one
- version can be supported in any one build.
+ use. Only one version of Kerberos can be supported in any one
+ build, and support must be enabled at build time. See
+ <xref linkend="installation"> for more information.
</para>
<para>
<productname>PostgreSQL</> operates like a normal Kerberos service.
The name of the service principal is
- <literal><replaceable>servicename</>/<replaceable>hostname</>@<replaceable>realm</></literal>, where
- <replaceable>servicename</> is <literal>postgres</literal> (unless a
- different service name was selected at configure time with
- <literal>./configure --with-krb-srvnam=whatever</>).
+ <literal><replaceable>servicename</>/<replaceable>hostname</>@<replaceable>realm</></literal>.
+ </para>
+ <para>
+ <replaceable>servicename</> can be set on the server side using the
+ <xref linkend="guc-krb-srvname"> configuration parameter, and on the
+ client side using the krbsrvname connection parameter. (See also <xref linkend="libpq-connect">.). The installation default can be changed from the default
+ <literal>postgres</literal> at build time using
+ <literal>./configure --with-krb-srvnam=whatever</>). In most environments,
+ this parameter never needs to be changed. However, to support multiple
+ <productname>PostgreSQL</> installations on the same host it is necessary.
+ Some Kerberos implementations may also require a different service name,
+ such as Microsoft Active Directory which requires the service name
+ to be in uppercase (<literal>POSTGRES</literal>).
+ </para>
+ <para>
<replaceable>hostname</> is the fully qualified host name of the
server machine. The service principal's realm is the preferred realm
of the server machine.
</para>
<para>
- Make sure that your server key file is readable (and preferably
+ Make sure that your server keytab file is readable (and preferably
only readable) by the <productname>PostgreSQL</productname> server
account. (See also <xref linkend="postgres-user">.) The location
of the key file is specified by the <xref
linkend="guc-krb-server-keyfile"> configuration
- parameter. (See also <xref linkend="runtime-config">.) The default
+ parameter. The default
is <filename>/etc/srvtab</> if you are using Kerberos 4 and
<filename>/usr/local/pgsql/etc/krb5.keytab</> (or whichever
directory was specified as <varname>sysconfdir</> at build time)
</para>
<para>
- To generate the keytab file, use for example (with version 5)
+ The keytab file is generated in the Kerberos system, see the
+ Kerberos documentation for details. The following example is
+ for MIT-compatible Kerberos 5 implementations:
<screen>
<prompt>kadmin% </><userinput>ank -randkey postgres/server.my.domain.org</>
<prompt>kadmin% </><userinput>ktadd -k krb5.keytab postgres/server.my.domain.org</>
</screen>
- Read the <productname>Kerberos</> documentation for details.
</para>
<para>
<term><option>--with-krb-srvnam=<replaceable>NAME</></option></term>
<listitem>
<para>
- The name of the Kerberos service principal.
- <literal>postgres</literal> is the default. There's probably no
+ The default name of the Kerberos service principal.
+ <literal>postgres</literal> is the default. There's usually no
reason to change this.
</para>
</listitem>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><literal>krbsrvname</literal></term>
+ <listitem>
+ <para>
+ Kerberos service name to use when authenticating with Kerberos 4 or 5.
+ This must match the service name specified in the server
+ configuration for Kerberos authentication to succeed. (See also
+ <xref linkend="kerberos-auth">.)
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term><literal>service</literal></term>
<listitem>
</listitem>
<listitem>
<para>
+<indexterm>
+ <primary><envar>PGKRBSRVNAME</envar></primary>
+</indexterm>
+<envar>PGKRBSRVNAME</envar> sets the Kerberos service name to use when
+authenticating with Kerberos 4 or 5.
+</para>
+</listitem>
+<listitem>
+<para>
<indexterm>
<primary><envar>PGCONNECT_TIMEOUT</envar></primary>
</indexterm>
<listitem>
<para>
Sets the location of the Kerberos server key file. See
- <xref linkend="kerberos-auth"> for details.
+ <xref linkend="kerberos-auth"> for details. This parameter
+ can only be set at server start.
</para>
</listitem>
</varlistentry>
+ <varlistentry id="guc-krb-srvname" xreflabel="krb_srvname">
+ <term><varname>krb_srvname</varname> (<type>string</type>)</term>
+ <indexterm>
+ <primary><varname>krb_srvname</> configuration parameter</primary>
+ </indexterm>
+ <listitem>
+ <para>
+ Sets the Kerberos service name. See <xref linkend="kerberos-auth">
+ for details. This parameter can only be set at server start.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry id="guc-krb-caseins-users" xreflabel="krb_caseins_users">
+ <term><varname>krb_caseins_users</varname> (<type>boolean</type>)</term>
+ <indexterm>
+ <primary><varname>krb_caseins_users</varname> configuration parameter</primary>
+ </indexterm>
+ <listitem>
+ <para>
+ Sets if Kerberos usernames should be treated case-insensitive.
+ The default is off (case sensitive). This parameter can only be
+ set at server start.
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry id="guc-db-user-namespace" xreflabel="db_user_namespace">
<term><varname>db_user_namespace</varname> (<type>boolean</type>)</term>
<indexterm>
static int recv_and_check_password_packet(Port *port);
char *pg_krb_server_keyfile;
+char *pg_krb_srvnam;
+bool pg_krb_caseins_users;
#ifdef USE_PAM
#ifdef HAVE_PAM_PAM_APPL_H
status = krb_recvauth(krbopts,
port->sock,
&clttkt,
- PG_KRB_SRVNAM,
+ pg_krb_srvnam,
instance,
&port->raddr.in,
&port->laddr.in,
return STATUS_ERROR;
}
- retval = krb5_sname_to_principal(pg_krb5_context, NULL, PG_KRB_SRVNAM,
+ retval = krb5_sname_to_principal(pg_krb5_context, NULL, pg_krb_srvnam,
KRB5_NT_SRV_HST, &pg_krb5_server);
if (retval)
{
ereport(LOG,
(errmsg("Kerberos sname_to_principal(\"%s\") returned error %d",
- PG_KRB_SRVNAM, retval)));
+ pg_krb_srvnam, retval)));
com_err("postgres", retval,
"while getting server principal for service \"%s\"",
- PG_KRB_SRVNAM);
+ pg_krb_srvnam);
krb5_kt_close(pg_krb5_context, pg_krb5_keytab);
krb5_free_context(pg_krb5_context);
return STATUS_ERROR;
return ret;
retval = krb5_recvauth(pg_krb5_context, &auth_context,
- (krb5_pointer) & port->sock, PG_KRB_SRVNAM,
+ (krb5_pointer) & port->sock, "postgres",
pg_krb5_server, 0, pg_krb5_keytab, &ticket);
if (retval)
{
}
kusername = pg_an_to_ln(kusername);
- if (strncmp(port->user_name, kusername, SM_DATABASE_USER))
+ if (pg_krb_caseins_users)
+ ret = strncasecmp(port->user_name, kusername, SM_DATABASE_USER);
+ else
+ ret = strncmp(port->user_name, kusername, SM_DATABASE_USER);
+ if (ret)
{
ereport(LOG,
(errmsg("unexpected Kerberos user name received from client (received \"%s\", expected \"%s\")",
#ifndef PG_KRB_SRVTAB
#define PG_KRB_SRVTAB ""
#endif
+#ifndef PG_KRB_SRVNAM
+#define PG_KRB_SRVNAM ""
+#endif
#define CONFIG_FILENAME "postgresql.conf"
#define HBA_FILENAME "pg_hba.conf"
#endif
},
+ {
+ {"krb_caseins_users", PGC_POSTMASTER, CONN_AUTH_SECURITY,
+ gettext_noop("Sets if Kerberos user names should be treated case insensitive."),
+ NULL
+ },
+ &pg_krb_caseins_users,
+ false, NULL, NULL
+ },
+
/* End-of-list marker */
{
{NULL, 0, 0, NULL, NULL}, NULL, false, NULL, NULL
PG_KRB_SRVTAB, NULL, NULL
},
+ {
+ {"krb_srvname", PGC_POSTMASTER, CONN_AUTH_SECURITY,
+ gettext_noop("Sets the name of the Kerberos service."),
+ NULL
+ },
+ &pg_krb_srvnam,
+ PG_KRB_SRVNAM, NULL, NULL
+ },
+
{
{"bonjour_name", PGC_POSTMASTER, CONN_AUTH_SETTINGS,
gettext_noop("Sets the Bonjour broadcast service name."),
#authentication_timeout = 60 # 1-600, in seconds
#ssl = false
#password_encryption = true
-#krb_server_keyfile = ''
#db_user_namespace = false
+# Kerberos
+#krb_server_keyfile = ''
+#krb_caseins_users = false
+#krb_srvname = 'postgres'
#---------------------------------------------------------------------------
#define PG_KRB5_VERSION "PGVER5.1"
extern char *pg_krb_server_keyfile;
+extern char *pg_krb_srvnam;
+extern bool pg_krb_caseins_users;
#endif /* AUTH_H */
/* Define to the version of this package. */
#undef PACKAGE_VERSION
-/* Define to the name of the PostgreSQL service principal in Kerberos.
+/* Define to the name of the default PostgreSQL service principal in Kerberos.
(--with-krb-srvnam=NAME) */
#undef PG_KRB_SRVNAM
/* Define to 1 to build with assertion checks. (--enable-cassert) */
#undef USE_ASSERT_CHECKING
+/* Define to 1 to build with Bonjour support. (--with-bonjour) */
+#undef USE_BONJOUR
+
/* Define to 1 if you want 64-bit integer timestamp and interval support.
(--enable-integer-datetimes) */
#undef USE_INTEGER_DATETIMES
/* Define to 1 to build with PAM support. (--with-pam) */
#undef USE_PAM
-/* Define to 1 to build with Bonjour support. (--with-bonjour) */
-#undef USE_BONJOUR
-
/* Use replacement snprintf() functions. */
#undef USE_SNPRINTF
pg_krb4_sendauth(char *PQerrormsg, int sock,
struct sockaddr_in * laddr,
struct sockaddr_in * raddr,
- const char *hostname)
+ const char *hostname,
+ const char *servicename)
{
long krbopts = 0; /* one-way authentication */
KTEXT_ST clttkt;
status = krb_sendauth(krbopts,
sock,
&clttkt,
- PG_KRB_SRVNAM,
+ servicename,
hostname,
realm,
(u_long) 0,
* provide an aname mapping database...it may be a better idea to use
* krb5_an_to_ln, except that it punts if multiple components are found,
* and we can't afford to punt.
+ *
+ * For WIN32, convert username to lowercase because the Win32 kerberos library
+ * generates tickets with the username as the user entered it instead of as
+ * it is entered in the directory.
*/
static char *
pg_an_to_ln(char *aname)
if ((p = strchr(aname, '/')) || (p = strchr(aname, '@')))
*p = '\0';
+#ifdef WIN32
+ for (p = aname; *p ; p++)
+ *p = pg_tolower(*p);
+#endif
+
return aname;
}
* the server
*/
static int
-pg_krb5_sendauth(char *PQerrormsg, int sock, const char *hostname)
+pg_krb5_sendauth(char *PQerrormsg, int sock, const char *hostname, const char *servicename)
{
krb5_error_code retval;
int ret;
if (ret != STATUS_OK)
return ret;
- retval = krb5_sname_to_principal(pg_krb5_context, hostname, PG_KRB_SRVNAM,
+ retval = krb5_sname_to_principal(pg_krb5_context, hostname, servicename,
KRB5_NT_SRV_HST, &server);
if (retval)
{
}
retval = krb5_sendauth(pg_krb5_context, &auth_context,
- (krb5_pointer) & sock, PG_KRB_SRVNAM,
+ (krb5_pointer) & sock, "postgres",
pg_krb5_client, server,
AP_OPTS_MUTUAL_REQUIRED,
NULL, 0, /* no creds, use ccache instead */
if (pg_krb4_sendauth(PQerrormsg, conn->sock,
(struct sockaddr_in *) & conn->laddr.addr,
(struct sockaddr_in *) & conn->raddr.addr,
- hostname) != STATUS_OK)
+ hostname, conn->krbsrvname) != STATUS_OK)
{
/* PQerrormsg already filled in */
pgunlock_thread();
#ifdef KRB5
pglock_thread();
if (pg_krb5_sendauth(PQerrormsg, conn->sock,
- hostname) != STATUS_OK)
+ hostname, conn->krbsrvname) != STATUS_OK)
{
/* PQerrormsg already filled in */
pgunlock_thread();
{"sslmode", "PGSSLMODE", DefaultSSLMode, NULL,
"SSL-Mode", "", 8}, /* sizeof("disable") == 8 */
+#if defined(KRB4) || defined(KRB5)
+ /* Kerberos authentication supports specifying the service name */
+ {"krbsrvname", "PGKRBSRVNAME", PG_KRB_SRVNAM, NULL,
+ "Kerberos-service-name", "", 20},
+#endif
+
/* Terminating entry --- MUST BE LAST */
{NULL, NULL, NULL, NULL,
NULL, NULL, 0}
conn->sslmode = strdup("require");
}
#endif
+#if defined(KRB4) || defined(KRB5)
+ tmp = conninfo_getval(connOptions, "krbsrvname");
+ conn->krbsrvname = tmp ? strdup(tmp) : NULL;
+#endif
/*
* Free the option info - all is in conn now
free(conn->pgpass);
if (conn->sslmode)
free(conn->sslmode);
+#if defined(KRB4) || defined(KRB5)
+ if (conn->krbsrvname)
+ free(conn->krbsrvname);
+#endif
/* Note that conn->Pfdebug is not ours to close or free */
notify = conn->notifyHead;
while (notify != NULL)
char *pguser; /* Postgres username and password, if any */
char *pgpass;
char *sslmode; /* SSL mode (require,prefer,allow,disable) */
+#if defined(KRB5) || defined(KRB4)
+ char *krbsrvname; /* Kerberos service name */
+#endif
/* Optional file to write trace info to */
FILE *Pfdebug;
projects / users / bernd / postgres.git / commitdiff