Movatterモバイル変換


[0]ホーム

URL:


Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Sign up
Appearance settings

Commitf7431bc

Browse files
committed
Explicitly require MIT Kerberos for GSSAPI
WHen building with GSSAPI support, explicitly require MIT Kerberos andcheck for gssapi_ext.h in configure.ac and meson.build. Also adddocumentation explicitly stating that we now require MIT Kerberos whenbuilding with GSSAPI support.Reveiwed by: Johnathan KatzDiscussion:https://postgr.es/m/abcc73d0-acf7-6896-e0dc-f5bc12a61bb1@postgresql.org
1 parent6633cfb commitf7431bc

File tree

7 files changed

+57
-15
lines changed

7 files changed

+57
-15
lines changed

‎configure

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14104,6 +14104,33 @@ done
1410414104

1410514105
fi
1410614106

14107+
done
14108+
14109+
for ac_header in gssapi/gssapi_ext.h
14110+
do :
14111+
ac_fn_c_check_header_mongrel "$LINENO" "gssapi/gssapi_ext.h" "ac_cv_header_gssapi_gssapi_ext_h" "$ac_includes_default"
14112+
if test "x$ac_cv_header_gssapi_gssapi_ext_h" = xyes; then :
14113+
cat >>confdefs.h <<_ACEOF
14114+
#define HAVE_GSSAPI_GSSAPI_EXT_H 1
14115+
_ACEOF
14116+
14117+
else
14118+
for ac_header in gssapi_ext.h
14119+
do :
14120+
ac_fn_c_check_header_mongrel "$LINENO" "gssapi_ext.h" "ac_cv_header_gssapi_ext_h" "$ac_includes_default"
14121+
if test "x$ac_cv_header_gssapi_ext_h" = xyes; then :
14122+
cat >>confdefs.h <<_ACEOF
14123+
#define HAVE_GSSAPI_EXT_H 1
14124+
_ACEOF
14125+
14126+
else
14127+
as_fn_error $? "gssapi_ext.h header file is required for GSSAPI" "$LINENO" 5
14128+
fi
14129+
14130+
done
14131+
14132+
fi
14133+
1410714134
done
1410814135

1410914136
fi

‎configure.ac

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1562,6 +1562,8 @@ fi
15621562
if test "$with_gssapi" = yes ; then
15631563
AC_CHECK_HEADERS(gssapi/gssapi.h,[],
15641564
[AC_CHECK_HEADERS(gssapi.h,[],[AC_MSG_ERROR([gssapi.h header file is required for GSSAPI])])])
1565+
AC_CHECK_HEADERS(gssapi/gssapi_ext.h,[],
1566+
[AC_CHECK_HEADERS(gssapi_ext.h,[],[AC_MSG_ERROR([gssapi_ext.h header file is required for GSSAPI])])])
15651567
fi
15661568

15671569
PGAC_PATH_PROGS(OPENSSL, openssl)

‎doc/src/sgml/client-auth.sgml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1426,7 +1426,7 @@ omicron bryanh guest1
14261426
The keytab file is generated using the Kerberos software; see the
14271427
Kerberos documentation for details. The following example shows
14281428
doing this using the <application>kadmin</application> tool of
1429-
MIT-compatible Kerberos 5 implementations:
1429+
MIT Kerberos:
14301430
<screen>
14311431
<prompt>kadmin% </prompt><userinput>addprinc -randkey postgres/server.my.domain.org</userinput>
14321432
<prompt>kadmin% </prompt><userinput>ktadd -k krb5.keytab postgres/server.my.domain.org</userinput>

‎doc/src/sgml/installation.sgml

Lines changed: 11 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -252,9 +252,9 @@ documentation. See standalone-profile.xsl for details.
252252

253253
<listitem>
254254
<para>
255-
You need <application>Kerberos</application>, <productname>OpenLDAP</productname>,
256-
and/or <application>PAM</application>, if you want to support authentication
257-
using those services.
255+
You need <application>MITKerberos</application> (for GSSAPI),
256+
<productname>OpenLDAP</productname>,and/or <application>PAM</application>,
257+
if you want to support authenticationusing those services.
258258
</para>
259259
</listitem>
260260

@@ -1048,9 +1048,9 @@ build-postgresql:
10481048
<term><option>--with-gssapi</option></term>
10491049
<listitem>
10501050
<para>
1051-
Build with support for GSSAPI authentication.On many systems, the
1052-
GSSAPI system (usually a part oftheKerberos installation) is not
1053-
installed in a location
1051+
Build with support for GSSAPI authentication.MIT Kerberos is required
1052+
to be installed for GSSAPI. On many systems,theGSSAPI system (a part
1053+
of the MIT Kerberos installation) is notinstalled in a location
10541054
that is searched by default (e.g., <filename>/usr/include</filename>,
10551055
<filename>/usr/lib</filename>), so you must use the options
10561056
<option>--with-includes</option> and <option>--with-libraries</option> in
@@ -2497,10 +2497,11 @@ ninja install
24972497
<term><option>-Dgssapi={ auto | enabled | disabled }</option></term>
24982498
<listitem>
24992499
<para>
2500-
Build with support for GSSAPI authentication. On many systems, the
2501-
GSSAPI system (usually a part of the Kerberos installation) is not
2502-
installed in a location that is searched by default (e.g.,
2503-
<filename>/usr/include</filename>, <filename>/usr/lib</filename>). In
2500+
Build with support for GSSAPI authentication. MIT Kerberos is required
2501+
to be installed for GSSAPI. On many systems, the GSSAPI system (a part
2502+
of the MIT Kerberos installation) is not installed in a location
2503+
that is searched by default (e.g., <filename>/usr/include</filename>,
2504+
<filename>/usr/lib</filename>). In
25042505
those cases, PostgreSQL will query <command>pkg-config</command> to
25052506
detect the required compiler and linker options. Defaults to auto.
25062507
<filename>meson configure</filename> will check for the required

‎meson.build

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -623,6 +623,16 @@ if not gssapiopt.disabled()
623623
have_gssapi=false
624624
endif
625625

626+
ifnot have_gssapi
627+
elif cc.check_header('gssapi/gssapi_ext.h',dependencies: gssapi,required:false,
628+
args: test_c_args,include_directories: postgres_inc)
629+
cdata.set('HAVE_GSSAPI_GSSAPI_EXT_H',1)
630+
elif cc.check_header('gssapi_ext.h',args: test_c_args,dependencies: gssapi,required: gssapiopt)
631+
cdata.set('HAVE_GSSAPI_EXT_H',1)
632+
else
633+
have_gssapi=false
634+
endif
635+
626636
ifnot have_gssapi
627637
elif cc.has_function('gss_init_sec_context',dependencies: gssapi,
628638
args: test_c_args,include_directories: postgres_inc)

‎src/backend/libpq/auth.c

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -922,8 +922,9 @@ pg_GSS_recvauth(Port *port)
922922
gss_cred_id_tdelegated_creds;
923923

924924
/*
925-
* Use the configured keytab, if there is one. Unfortunately, Heimdal
926-
* doesn't support the cred store extensions, so use the env var.
925+
* Use the configured keytab, if there is one. As we now require MIT
926+
* Kerberos, we might consider using the credential store extensions in
927+
* the future instead of the environment variable.
927928
*/
928929
if (pg_krb_server_keyfile!=NULL&&pg_krb_server_keyfile[0]!='\0')
929930
{

‎src/backend/libpq/be-secure-gssapi.c

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -526,8 +526,9 @@ secure_open_gssapi(Port *port)
526526
PqGSSRecvLength=PqGSSResultLength=PqGSSResultNext=0;
527527

528528
/*
529-
* Use the configured keytab, if there is one. Unfortunately, Heimdal
530-
* doesn't support the cred store extensions, so use the env var.
529+
* Use the configured keytab, if there is one. As we now require MIT
530+
* Kerberos, we might consider using the credential store extensions in the
531+
* future instead of the environment variable.
531532
*/
532533
if (pg_krb_server_keyfile!=NULL&&pg_krb_server_keyfile[0]!='\0')
533534
{

0 commit comments

Comments
 (0)

[8]ページ先頭

©2009-2025 Movatter.jp