Allow kerberos name and username case sensitivity to be specified from

postgresql.conf.

---------------------------------------------------------------------------


Here's an updated version of the patch, with the following changes:

1) No longer uses "service name" as "application version". It's instead
hardcoded as "postgres". It could be argued that this part should be
backpatched to 8.0, but it doesn't make a big difference until you can
start changing it with GUC / connection parameters. This change only
affects kerberos 5, not 4.

2) Now downcases kerberos usernames when the client is running on win32.

3) Adds guc option for "krb_caseins_users" to make the server ignore
case mismatch which is required by some KDCs such as Active Directory.
Off by default, per discussion with Tom. This change only affects
kerberos 5, not 4.

4) Updated so it doesn't conflict with the rendevouz/bonjour patch
already in ;-)

Magnus Hagander

3 files changed, 39 insertions, 9 deletions

diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index b941ccd5030..7970f817561 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.123 2005/02/22 04:35:57 momjian Exp $
+ *	  $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.124 2005/06/04 20:42:42 momjian Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -41,6 +41,8 @@ static char *recv_password_packet(Port *port);
 static int	recv_and_check_password_packet(Port *port);
 
 char	   *pg_krb_server_keyfile;
+char       *pg_krb_srvnam;
+bool		pg_krb_caseins_users;
 
 #ifdef USE_PAM
 #ifdef HAVE_PAM_PAM_APPL_H
@@ -99,7 +101,7 @@ pg_krb4_recvauth(Port *port)
 	status = krb_recvauth(krbopts,
 						  port->sock,
 						  &clttkt,
-						  PG_KRB_SRVNAM,
+						  pg_krb_srvnam,
 						  instance,
 						  &port->raddr.in,
 						  &port->laddr.in,
@@ -219,16 +221,16 @@ pg_krb5_init(void)
 		return STATUS_ERROR;
 	}
 
-	retval = krb5_sname_to_principal(pg_krb5_context, NULL, PG_KRB_SRVNAM,
+	retval = krb5_sname_to_principal(pg_krb5_context, NULL, pg_krb_srvnam,
 									 KRB5_NT_SRV_HST, &pg_krb5_server);
 	if (retval)
 	{
 		ereport(LOG,
 		 (errmsg("Kerberos sname_to_principal(\"%s\") returned error %d",
-				 PG_KRB_SRVNAM, retval)));
+				 pg_krb_srvnam, retval)));
 		com_err("postgres", retval,
 				"while getting server principal for service \"%s\"",
-				PG_KRB_SRVNAM);
+				pg_krb_srvnam);
 		krb5_kt_close(pg_krb5_context, pg_krb5_keytab);
 		krb5_free_context(pg_krb5_context);
 		return STATUS_ERROR;
@@ -264,7 +266,7 @@ pg_krb5_recvauth(Port *port)
 		return ret;
 
 	retval = krb5_recvauth(pg_krb5_context, &auth_context,
-						   (krb5_pointer) & port->sock, PG_KRB_SRVNAM,
+						   (krb5_pointer) & port->sock, "postgres",
 						   pg_krb5_server, 0, pg_krb5_keytab, &ticket);
 	if (retval)
 	{
@@ -303,7 +305,11 @@ pg_krb5_recvauth(Port *port)
 	}
 
 	kusername = pg_an_to_ln(kusername);
-	if (strncmp(port->user_name, kusername, SM_DATABASE_USER))
+	if (pg_krb_caseins_users)
+		ret = strncasecmp(port->user_name, kusername, SM_DATABASE_USER);
+	else
+		ret = strncmp(port->user_name, kusername, SM_DATABASE_USER);
+	if (ret)
 	{
 		ereport(LOG,
 				(errmsg("unexpected Kerberos user name received from client (received \"%s\", expected \"%s\")",
diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c
index 7f89276b612..3d57509548f 100644
--- a/src/backend/utils/misc/guc.c
+++ b/src/backend/utils/misc/guc.c
@@ -10,7 +10,7 @@
  * Written by Peter Eisentraut <peter_e@gmx.net>.
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.263 2005/05/27 18:33:30 momjian Exp $
+ *	  $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.264 2005/06/04 20:42:42 momjian Exp $
  *
  *--------------------------------------------------------------------
  */
@@ -63,6 +63,9 @@
 #ifndef PG_KRB_SRVTAB
 #define PG_KRB_SRVTAB ""
 #endif
+#ifndef PG_KRB_SRVNAM
+#define PG_KRB_SRVNAM ""
+#endif
 
 #define CONFIG_FILENAME	"postgresql.conf"
 #define HBA_FILENAME	"pg_hba.conf"
@@ -860,6 +863,15 @@ static struct config_bool ConfigureNamesBool[] =
 #endif
 	},
 
+	{
+		{"krb_caseins_users", PGC_POSTMASTER, CONN_AUTH_SECURITY,
+			gettext_noop("Sets if Kerberos user names should be treated case insensitive."),
+			NULL
+		},
+		&pg_krb_caseins_users,
+		false, NULL, NULL
+	},
+
 	/* End-of-list marker */
 	{
 		{NULL, 0, 0, NULL, NULL}, NULL, false, NULL, NULL
@@ -1573,6 +1585,15 @@ static struct config_string ConfigureNamesString[] =
 	},
 
 	{
+		{"krb_srvname", PGC_POSTMASTER, CONN_AUTH_SECURITY,
+			gettext_noop("Sets the name of the Kerberos service."),
+			NULL
+		},
+		&pg_krb_srvnam,
+		PG_KRB_SRVNAM, NULL, NULL
+	},
+
+	{
 		{"bonjour_name", PGC_POSTMASTER, CONN_AUTH_SETTINGS,
 			gettext_noop("Sets the Bonjour broadcast service name."),
 			NULL
diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample
index 0e88d4c5ed0..d54ae5fcfda 100644
--- a/src/backend/utils/misc/postgresql.conf.sample
+++ b/src/backend/utils/misc/postgresql.conf.sample
@@ -64,8 +64,11 @@
 #authentication_timeout = 60	# 1-600, in seconds
 #ssl = false
 #password_encryption = true
-#krb_server_keyfile = ''
 #db_user_namespace = false
+# Kerberos
+#krb_server_keyfile = ''
+#krb_caseins_users = false
+#krb_srvname = 'postgres'
 
 
 #---------------------------------------------------------------------------