Stephen Frost wrote: > Greetings, > > Regarding Magnus' patch for matching against the Kerberos realm- I'd > see it as much more useful as a multi-value configuration option. > Perhaps 'krb_alt_realms' or 'krb_realms'. This would look like: > > Match against one, and only one, realm (does not have to be the realm > the server is in, that's dealt with seperately): > krb_realms = 'ABC.COM' > > Don't worry about the realm ever: > krb_realms = '' # default, to match current krb5 > > Match against multiple realms: > krb_realms = 'ABC.COM, DEF.ABC.COM' > > Note that using multiple realms implies either no overlap, or that > overlap means the same person. > > Additionally, I feel we should have an explicit 'krb_strip_realm' > boolean option to enable this behaviour. If 'krb_strip_realm' is > 'false' then the full [EMAIL PROTECTED] would be used. This would mean that > more complex cross-realm could also be handled by creating users with > [EMAIL PROTECTED] and then just roles when a given user exists in multiple > realms. > > I understand that we're in beta now but both of these are isolated and > rather small changes, I believe. Also, Magnus has indicated that he'd > be willing to adjust his patch accordingly if this is agreed to > (please correct me if I'm wrong here :).
I've committed the patch as it was without this, because that's still better than what we have now. Just for the record, I've indicated that I'm willing to add the multi-realm match part of that, but I'm not sure we want to dig into the "krb_strip_realm" stuff this late in the cycle. At least unless someone can confirm that we won't have issues *elswhere* from passing in very long usernames in what I believe is not entirely specified formats. I will try to work on the multi-realm stuff next week, unless someone wants to beat me to it... //Magnus ---------------------------(end of broadcast)--------------------------- TIP 4: Have you searched our list archives? http://archives.postgresql.org