NotificationsYou must be signed in to change notification settings
Fork5
Star26

Commitb09f930

committed

Add hba parameter include_realm to krb5, gss and sspi authentication, used

to pass the full username@realm string to the authentication instead ofjust the username. This makes it possible to use pg_ident.conf to authenticateusers from multiple realms as different database users.

1 parent32c469d commitb09f930Copy full SHA for b09f930

File tree

4 files changed

+69

-7

lines changed

doc/src/sgml
- client-auth.sgml
src
- backend/libpq
  - auth.c
  - hba.c
- include/libpq
  - hba.h

4 files changed

+69

-7

lines changed

`‎doc/src/sgml/client-auth.sgml`

Lines changed: 25 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.116 2009/01/0712:38:10 mha Exp $ -->`
	`1`	`+<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.117 2009/01/0713:09:21 mha Exp $ -->`
`2`	`2`
`3`	`3`	`<chapter id="client-authentication">`
`4`	`4`	`<title>Client Authentication</title>`
`@@ -785,6 +785,18 @@ omicron bryanh guest1`
`785`	`785`	`</listitem>`
`786`	`786`	`</varlistentry>`
`787`	`787`
	`788`	`+ <varlistentry>`
	`789`	`+ <term>include_realm</term>`
	`790`	`+ <listitem>`
	`791`	`+ <para>`
	`792`	`+ Include the realm name from the authenticated user principal. This is useful`
	`793`	`+ in combination with Username maps (See <xref linkend="auth-username-maps">`
	`794`	`+ for details), especially with regular expressions, to map users from`
	`795`	`+ multiple realms.`
	`796`	`+ </para>`
	`797`	`+ </listitem>`
	`798`	`+ </varlistentry>`
	`799`	`+`
`788`	`800`	`<varlistentry>`
`789`	`801`	`<term>krb_realm</term>`
`790`	`802`	`<listitem>`
`@@ -846,6 +858,18 @@ omicron bryanh guest1`
`846`	`858`	`</listitem>`
`847`	`859`	`</varlistentry>`
`848`	`860`
	`861`	`+ <varlistentry>`
	`862`	`+ <term>include_realm</term>`
	`863`	`+ <listitem>`
	`864`	`+ <para>`
	`865`	`+ Include the realm name from the authenticated user principal. This is useful`
	`866`	`+ in combination with Username maps (See <xref linkend="auth-username-maps">`
	`867`	`+ for details), especially with regular expressions, to map users from`
	`868`	`+ multiple realms.`
	`869`	`+ </para>`
	`870`	`+ </listitem>`
	`871`	`+ </varlistentry>`
	`872`	`+`
`849`	`873`	`<varlistentry>`
`850`	`874`	`<term>krb_realm</term>`
`851`	`875`	`<listitem>`

`‎src/backend/libpq/auth.c`

Lines changed: 30 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,7 @@`
`8`	`8`	`*`
`9`	`9`	`*`
`10`	`10`	`* IDENTIFICATION`
`11`		`- * $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.176 2009/01/0712:38:11 mha Exp $`
	`11`	`+ * $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.177 2009/01/0713:09:21 mha Exp $`
`12`	`12`	`*`
`13`	`13`	`*-------------------------------------------------------------------------`
`14`	`14`	`*/`
`@@ -748,7 +748,13 @@ pg_krb5_recvauth(Port *port)`
`748`	`748`	`cp=strchr(kusername,'@');`
`749`	`749`	`if (cp)`
`750`	`750`	`{`
`751`		`-*cp='\0';`
	`751`	`+/*`
	`752`	`+ * If we are not going to include the realm in the username that is passed`
	`753`	`+ * to the ident map, destructively modify it here to remove the realm. Then`
	`754`	`+ * advance past the separator to check the realm.`
	`755`	`+ */`
	`756`	`+if (!port->hba->include_realm)`
	`757`	`+*cp='\0';`
`752`	`758`	`cp++;`
`753`	`759`
`754`	`760`	`if (realmmatch!=NULL&&strlen(realmmatch))`
`@@ -1040,7 +1046,13 @@ pg_GSS_recvauth(Port *port)`
`1040`	`1046`	`{`
`1041`	`1047`	`char*cp=strchr(gbuf.value,'@');`
`1042`	`1048`
`1043`		`-*cp='\0';`
	`1049`	`+/*`
	`1050`	`+ * If we are not going to include the realm in the username that is passed`
	`1051`	`+ * to the ident map, destructively modify it here to remove the realm. Then`
	`1052`	`+ * advance past the separator to check the realm.`
	`1053`	`+ */`
	`1054`	`+if (!port->hba->include_realm)`
	`1055`	`+*cp='\0';`
`1044`	`1056`	`cp++;`
`1045`	`1057`
`1046`	`1058`	`if (realmmatch!=NULL&&strlen(realmmatch))`
`@@ -1361,8 +1373,22 @@ pg_SSPI_recvauth(Port *port)`
`1361`	`1373`	`/*`
`1362`	`1374`	`* We have the username (without domain/realm) in accountname, compare to`
`1363`	`1375`	`* the supplied value. In SSPI, always compare case insensitive.`
	`1376`	`+ *`
	`1377`	`+ * If set to include realm, append it in <username>@<realm> format.`
`1364`	`1378`	`*/`
`1365`		`-returncheck_usermap(port->hba->usermap,port->user_name,accountname, true);`
	`1379`	`+if (port->hba->include_realm)`
	`1380`	`+{`
	`1381`	`+char*namebuf;`
	`1382`	`+intretval;`
	`1383`	`+`
	`1384`	`+namebuf=palloc(strlen(accountname)+strlen(domainname)+2);`
	`1385`	`+sprintf(namebuf,"%s@%s",accountname,domainname);`
	`1386`	`+retval=check_usermap(port->hba->usermap,port->user_name,namebuf, true);`
	`1387`	`+pfree(namebuf);`
	`1388`	`+returnretval;`
	`1389`	`+}`
	`1390`	`+else`
	`1391`	`+returncheck_usermap(port->hba->usermap,port->user_name,accountname, true);`
`1366`	`1392`	`}`
`1367`	`1393`	`#endif/* ENABLE_SSPI */`
`1368`	`1394`

`‎src/backend/libpq/hba.c`

Lines changed: 12 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,7 @@`
`10`	`10`	`*`
`11`	`11`	`*`
`12`	`12`	`* IDENTIFICATION`
`13`		`- * $PostgreSQL: pgsql/src/backend/libpq/hba.c,v 1.179 2009/01/0712:38:11 mha Exp $`
	`13`	`+ * $PostgreSQL: pgsql/src/backend/libpq/hba.c,v 1.180 2009/01/0713:09:21 mha Exp $`
`14`	`14`	`*`
`15`	`15`	`*-------------------------------------------------------------------------`
`16`	`16`	`*/`
`@@ -1053,6 +1053,17 @@ parse_hba_line(List line, int line_num, HbaLine parsedline)`
`1053`	`1053`	`INVALID_AUTH_OPTION("krb_realm","krb5, gssapi and sspi");`
`1054`	`1054`	`parsedline->krb_realm=pstrdup(c);`
`1055`	`1055`	`}`
	`1056`	`+elseif (strcmp(token,"include_realm")==0)`
	`1057`	`+{`
	`1058`	`+if (parsedline->auth_method!=uaKrb5&&`
	`1059`	`+parsedline->auth_method!=uaGSS&&`
	`1060`	`+parsedline->auth_method!=uaSSPI)`
	`1061`	`+INVALID_AUTH_OPTION("include_realm","krb5, gssapi and sspi");`
	`1062`	`+if (strcmp(c,"1")==0)`
	`1063`	`+parsedline->include_realm= true;`
	`1064`	`+else`
	`1065`	`+parsedline->include_realm= false;`
	`1066`	`+}`
`1056`	`1067`	`else`
`1057`	`1068`	`{`
`1058`	`1069`	`ereport(LOG,`

`‎src/include/libpq/hba.h`

Lines changed: 2 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@`
`4`	`4`	`* Interface to hba.c`
`5`	`5`	`*`
`6`	`6`	`*`
`7`		`- * $PostgreSQL: pgsql/src/include/libpq/hba.h,v 1.54 2009/01/0712:38:11 mha Exp $`
	`7`	`+ * $PostgreSQL: pgsql/src/include/libpq/hba.h,v 1.55 2009/01/0713:09:21 mha Exp $`
`8`	`8`	`*`
`9`	`9`	`*-------------------------------------------------------------------------`
`10`	`10`	`*/`
`@@ -58,6 +58,7 @@ typedef struct`
`58`	`58`	`boolclientcert;`
`59`	`59`	`char*krb_server_hostname;`
`60`	`60`	`char*krb_realm;`
	`61`	`+boolinclude_realm;`
`61`	`62`	`}HbaLine;`
`62`	`63`
`63`	`64`	`typedefstructPorthbaPort;`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitb09f930

File tree

4 files changed

4 files changed

`‎doc/src/sgml/client-auth.sgml`

`‎src/backend/libpq/auth.c`

`‎src/backend/libpq/hba.c`

`‎src/include/libpq/hba.h`

0 commit comments