aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/backend/libpq/auth.c20
-rw-r--r--src/backend/utils/misc/guc.c23
-rw-r--r--src/backend/utils/misc/postgresql.conf.sample5
-rw-r--r--src/include/libpq/auth.h4
-rw-r--r--src/include/pg_config.h.in8
-rw-r--r--src/interfaces/libpq/fe-auth.c26
-rw-r--r--src/interfaces/libpq/fe-connect.c16
-rw-r--r--src/interfaces/libpq/libpq-int.h5
8 files changed, 83 insertions, 24 deletions
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index b941ccd5030..7970f817561 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -8,7 +8,7 @@
*
*
* IDENTIFICATION
- * $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.123 2005/02/22 04:35:57 momjian Exp $
+ * $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.124 2005/06/04 20:42:42 momjian Exp $
*
*-------------------------------------------------------------------------
*/
@@ -41,6 +41,8 @@ static char *recv_password_packet(Port *port);
static int recv_and_check_password_packet(Port *port);
char *pg_krb_server_keyfile;
+char *pg_krb_srvnam;
+bool pg_krb_caseins_users;
#ifdef USE_PAM
#ifdef HAVE_PAM_PAM_APPL_H
@@ -99,7 +101,7 @@ pg_krb4_recvauth(Port *port)
status = krb_recvauth(krbopts,
port->sock,
&clttkt,
- PG_KRB_SRVNAM,
+ pg_krb_srvnam,
instance,
&port->raddr.in,
&port->laddr.in,
@@ -219,16 +221,16 @@ pg_krb5_init(void)
return STATUS_ERROR;
}
- retval = krb5_sname_to_principal(pg_krb5_context, NULL, PG_KRB_SRVNAM,
+ retval = krb5_sname_to_principal(pg_krb5_context, NULL, pg_krb_srvnam,
KRB5_NT_SRV_HST, &pg_krb5_server);
if (retval)
{
ereport(LOG,
(errmsg("Kerberos sname_to_principal(\"%s\") returned error %d",
- PG_KRB_SRVNAM, retval)));
+ pg_krb_srvnam, retval)));
com_err("postgres", retval,
"while getting server principal for service \"%s\"",
- PG_KRB_SRVNAM);
+ pg_krb_srvnam);
krb5_kt_close(pg_krb5_context, pg_krb5_keytab);
krb5_free_context(pg_krb5_context);
return STATUS_ERROR;
@@ -264,7 +266,7 @@ pg_krb5_recvauth(Port *port)
return ret;
retval = krb5_recvauth(pg_krb5_context, &auth_context,
- (krb5_pointer) & port->sock, PG_KRB_SRVNAM,
+ (krb5_pointer) & port->sock, "postgres",
pg_krb5_server, 0, pg_krb5_keytab, &ticket);
if (retval)
{
@@ -303,7 +305,11 @@ pg_krb5_recvauth(Port *port)
}
kusername = pg_an_to_ln(kusername);
- if (strncmp(port->user_name, kusername, SM_DATABASE_USER))
+ if (pg_krb_caseins_users)
+ ret = strncasecmp(port->user_name, kusername, SM_DATABASE_USER);
+ else
+ ret = strncmp(port->user_name, kusername, SM_DATABASE_USER);
+ if (ret)
{
ereport(LOG,
(errmsg("unexpected Kerberos user name received from client (received \"%s\", expected \"%s\")",
diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c
index 7f89276b612..3d57509548f 100644
--- a/src/backend/utils/misc/guc.c
+++ b/src/backend/utils/misc/guc.c
@@ -10,7 +10,7 @@
* Written by Peter Eisentraut <peter_e@gmx.net>.
*
* IDENTIFICATION
- * $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.263 2005/05/27 18:33:30 momjian Exp $
+ * $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.264 2005/06/04 20:42:42 momjian Exp $
*
*--------------------------------------------------------------------
*/
@@ -63,6 +63,9 @@
#ifndef PG_KRB_SRVTAB
#define PG_KRB_SRVTAB ""
#endif
+#ifndef PG_KRB_SRVNAM
+#define PG_KRB_SRVNAM ""
+#endif
#define CONFIG_FILENAME "postgresql.conf"
#define HBA_FILENAME "pg_hba.conf"
@@ -860,6 +863,15 @@ static struct config_bool ConfigureNamesBool[] =
#endif
},
+ {
+ {"krb_caseins_users", PGC_POSTMASTER, CONN_AUTH_SECURITY,
+ gettext_noop("Sets if Kerberos user names should be treated case insensitive."),
+ NULL
+ },
+ &pg_krb_caseins_users,
+ false, NULL, NULL
+ },
+
/* End-of-list marker */
{
{NULL, 0, 0, NULL, NULL}, NULL, false, NULL, NULL
@@ -1573,6 +1585,15 @@ static struct config_string ConfigureNamesString[] =
},
{
+ {"krb_srvname", PGC_POSTMASTER, CONN_AUTH_SECURITY,
+ gettext_noop("Sets the name of the Kerberos service."),
+ NULL
+ },
+ &pg_krb_srvnam,
+ PG_KRB_SRVNAM, NULL, NULL
+ },
+
+ {
{"bonjour_name", PGC_POSTMASTER, CONN_AUTH_SETTINGS,
gettext_noop("Sets the Bonjour broadcast service name."),
NULL
diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample
index 0e88d4c5ed0..d54ae5fcfda 100644
--- a/src/backend/utils/misc/postgresql.conf.sample
+++ b/src/backend/utils/misc/postgresql.conf.sample
@@ -64,8 +64,11 @@
#authentication_timeout = 60 # 1-600, in seconds
#ssl = false
#password_encryption = true
-#krb_server_keyfile = ''
#db_user_namespace = false
+# Kerberos
+#krb_server_keyfile = ''
+#krb_caseins_users = false
+#krb_srvname = 'postgres'
#---------------------------------------------------------------------------
diff --git a/src/include/libpq/auth.h b/src/include/libpq/auth.h
index 3aef036078f..b8fd25eb64f 100644
--- a/src/include/libpq/auth.h
+++ b/src/include/libpq/auth.h
@@ -7,7 +7,7 @@
* Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group
* Portions Copyright (c) 1994, Regents of the University of California
*
- * $PostgreSQL: pgsql/src/include/libpq/auth.h,v 1.26 2004/12/31 22:03:32 pgsql Exp $
+ * $PostgreSQL: pgsql/src/include/libpq/auth.h,v 1.27 2005/06/04 20:42:42 momjian Exp $
*
*-------------------------------------------------------------------------
*/
@@ -27,5 +27,7 @@ extern void ClientAuthentication(Port *port);
#define PG_KRB5_VERSION "PGVER5.1"
extern char *pg_krb_server_keyfile;
+extern char *pg_krb_srvnam;
+extern bool pg_krb_caseins_users;
#endif /* AUTH_H */
diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in
index 51a13907bb0..da29557e927 100644
--- a/src/include/pg_config.h.in
+++ b/src/include/pg_config.h.in
@@ -602,7 +602,7 @@
/* Define to the version of this package. */
#undef PACKAGE_VERSION
-/* Define to the name of the PostgreSQL service principal in Kerberos.
+/* Define to the name of the default PostgreSQL service principal in Kerberos.
(--with-krb-srvnam=NAME) */
#undef PG_KRB_SRVNAM
@@ -635,6 +635,9 @@
/* Define to 1 to build with assertion checks. (--enable-cassert) */
#undef USE_ASSERT_CHECKING
+/* Define to 1 to build with Bonjour support. (--with-bonjour) */
+#undef USE_BONJOUR
+
/* Define to 1 if you want 64-bit integer timestamp and interval support.
(--enable-integer-datetimes) */
#undef USE_INTEGER_DATETIMES
@@ -645,9 +648,6 @@
/* Define to 1 to build with PAM support. (--with-pam) */
#undef USE_PAM
-/* Define to 1 to build with Bonjour support. (--with-bonjour) */
-#undef USE_BONJOUR
-
/* Use replacement snprintf() functions. */
#undef USE_SNPRINTF
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index 0dda34401bb..6624df1ad0a 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -10,7 +10,7 @@
* exceed INITIAL_EXPBUFFER_SIZE (currently 256 bytes).
*
* IDENTIFICATION
- * $PostgreSQL: pgsql/src/interfaces/libpq/fe-auth.c,v 1.100 2005/03/25 00:34:28 tgl Exp $
+ * $PostgreSQL: pgsql/src/interfaces/libpq/fe-auth.c,v 1.101 2005/06/04 20:42:43 momjian Exp $
*
*-------------------------------------------------------------------------
*/
@@ -196,7 +196,8 @@ static int
pg_krb4_sendauth(char *PQerrormsg, int sock,
struct sockaddr_in * laddr,
struct sockaddr_in * raddr,
- const char *hostname)
+ const char *hostname,
+ const char *servicename)
{
long krbopts = 0; /* one-way authentication */
KTEXT_ST clttkt;
@@ -216,7 +217,7 @@ pg_krb4_sendauth(char *PQerrormsg, int sock,
status = krb_sendauth(krbopts,
sock,
&clttkt,
- PG_KRB_SRVNAM,
+ servicename,
hostname,
realm,
(u_long) 0,
@@ -260,6 +261,10 @@ pg_krb4_sendauth(char *PQerrormsg, int sock,
* provide an aname mapping database...it may be a better idea to use
* krb5_an_to_ln, except that it punts if multiple components are found,
* and we can't afford to punt.
+ *
+ * For WIN32, convert username to lowercase because the Win32 kerberos library
+ * generates tickets with the username as the user entered it instead of as
+ * it is entered in the directory.
*/
static char *
pg_an_to_ln(char *aname)
@@ -268,6 +273,11 @@ pg_an_to_ln(char *aname)
if ((p = strchr(aname, '/')) || (p = strchr(aname, '@')))
*p = '\0';
+#ifdef WIN32
+ for (p = aname; *p ; p++)
+ *p = pg_tolower(*p);
+#endif
+
return aname;
}
@@ -360,7 +370,7 @@ pg_krb5_authname(char *PQerrormsg)
* the server
*/
static int
-pg_krb5_sendauth(char *PQerrormsg, int sock, const char *hostname)
+pg_krb5_sendauth(char *PQerrormsg, int sock, const char *hostname, const char *servicename)
{
krb5_error_code retval;
int ret;
@@ -379,7 +389,7 @@ pg_krb5_sendauth(char *PQerrormsg, int sock, const char *hostname)
if (ret != STATUS_OK)
return ret;
- retval = krb5_sname_to_principal(pg_krb5_context, hostname, PG_KRB_SRVNAM,
+ retval = krb5_sname_to_principal(pg_krb5_context, hostname, servicename,
KRB5_NT_SRV_HST, &server);
if (retval)
{
@@ -405,7 +415,7 @@ pg_krb5_sendauth(char *PQerrormsg, int sock, const char *hostname)
}
retval = krb5_sendauth(pg_krb5_context, &auth_context,
- (krb5_pointer) & sock, PG_KRB_SRVNAM,
+ (krb5_pointer) & sock, "postgres",
pg_krb5_client, server,
AP_OPTS_MUTUAL_REQUIRED,
NULL, 0, /* no creds, use ccache instead */
@@ -602,7 +612,7 @@ fe_sendauth(AuthRequest areq, PGconn *conn, const char *hostname,
if (pg_krb4_sendauth(PQerrormsg, conn->sock,
(struct sockaddr_in *) & conn->laddr.addr,
(struct sockaddr_in *) & conn->raddr.addr,
- hostname) != STATUS_OK)
+ hostname, conn->krbsrvname) != STATUS_OK)
{
/* PQerrormsg already filled in */
pgunlock_thread();
@@ -620,7 +630,7 @@ fe_sendauth(AuthRequest areq, PGconn *conn, const char *hostname,
#ifdef KRB5
pglock_thread();
if (pg_krb5_sendauth(PQerrormsg, conn->sock,
- hostname) != STATUS_OK)
+ hostname, conn->krbsrvname) != STATUS_OK)
{
/* PQerrormsg already filled in */
pgunlock_thread();
diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c
index 15bcf5f911b..05899450237 100644
--- a/src/interfaces/libpq/fe-connect.c
+++ b/src/interfaces/libpq/fe-connect.c
@@ -8,7 +8,7 @@
*
*
* IDENTIFICATION
- * $PostgreSQL: pgsql/src/interfaces/libpq/fe-connect.c,v 1.306 2005/05/05 16:40:42 momjian Exp $
+ * $PostgreSQL: pgsql/src/interfaces/libpq/fe-connect.c,v 1.307 2005/06/04 20:42:43 momjian Exp $
*
*-------------------------------------------------------------------------
*/
@@ -170,6 +170,12 @@ static const PQconninfoOption PQconninfoOptions[] = {
{"sslmode", "PGSSLMODE", DefaultSSLMode, NULL,
"SSL-Mode", "", 8}, /* sizeof("disable") == 8 */
+#if defined(KRB4) || defined(KRB5)
+ /* Kerberos authentication supports specifying the service name */
+ {"krbsrvname", "PGKRBSRVNAME", PG_KRB_SRVNAM, NULL,
+ "Kerberos-service-name", "", 20},
+#endif
+
/* Terminating entry --- MUST BE LAST */
{NULL, NULL, NULL, NULL,
NULL, NULL, 0}
@@ -393,6 +399,10 @@ connectOptions1(PGconn *conn, const char *conninfo)
conn->sslmode = strdup("require");
}
#endif
+#if defined(KRB4) || defined(KRB5)
+ tmp = conninfo_getval(connOptions, "krbsrvname");
+ conn->krbsrvname = tmp ? strdup(tmp) : NULL;
+#endif
/*
* Free the option info - all is in conn now
@@ -2074,6 +2084,10 @@ freePGconn(PGconn *conn)
free(conn->pgpass);
if (conn->sslmode)
free(conn->sslmode);
+#if defined(KRB4) || defined(KRB5)
+ if (conn->krbsrvname)
+ free(conn->krbsrvname);
+#endif
/* Note that conn->Pfdebug is not ours to close or free */
notify = conn->notifyHead;
while (notify != NULL)
diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index 9862e01bc91..e4692d5d5f6 100644
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -12,7 +12,7 @@
* Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group
* Portions Copyright (c) 1994, Regents of the University of California
*
- * $PostgreSQL: pgsql/src/interfaces/libpq/libpq-int.h,v 1.100 2005/01/06 00:59:47 tgl Exp $
+ * $PostgreSQL: pgsql/src/interfaces/libpq/libpq-int.h,v 1.101 2005/06/04 20:42:43 momjian Exp $
*
*-------------------------------------------------------------------------
*/
@@ -261,6 +261,9 @@ struct pg_conn
char *pguser; /* Postgres username and password, if any */
char *pgpass;
char *sslmode; /* SSL mode (require,prefer,allow,disable) */
+#if defined(KRB5) || defined(KRB4)
+ char *krbsrvname; /* Kerberos service name */
+#endif
/* Optional file to write trace info to */
FILE *Pfdebug;