Re: [JDBC] JDBC and GSSAPI/Krb5

From: Kris Jurka <books(at)ejurka.com>
Date: Mon Jan 28 2008 - 05:32:55 EST

On Thu, 24 Jan 2008, Peter Koczan wrote:

> Hello again, has there been progress on this? As I said before I'm
> willing to be a beta tester for this.
>

I've hacked together a prototype and can successfully authenticate against a gssapi configured server. It needs a fair amount of cleanup, but there are some more fundamental questions about what configuration options we need:

1. Do we need a way for the user to uniquely name the application for the JAAS LoginContext or can we get away with something generic like pgjdbc? The application name is needed for the JAAS login configuration file which is needed to enable the krb5 ticket cache. I'm not sure what else would need to be configured or why you might want to do it differently for different applications.
2. Do we need to allow the user to configure their own LoginContext CallbackHandler to enter a username/password if they don't have an existing entry in their ticket cache? Should we by default just try to use the username and password provided in the connection parameters?
3. Do we need a way for the user to specify the server's service name (what libpq calls PGKRBSRVNAME)? I think this is useful if you're running two pg servers on the same machine and want to have different rules for each one, but I'm not entirely sure about that.

Kris Jurka

---------------------------(end of broadcast)---------------------------

TIP 4: Have you searched our list archives?

               http://archives.postgresql.org Received on Mon Jan 28 05:34:08 2008