> > The *REALM* is not checked, however. This can cause problems if you > > have a multi-realm system (where the realms already trust > each other, > > because the KDC has to give out the service ticket) where > you have the > > same username existing in multiple realms representing > different users. > > This brings up the issue again that it'd be nice to be able > to have what amounts to a '.k5login' in PostgreSQL somehow. > Ideally, this would be something an idividual user could set > up but at good first step would be to have something along > the lines of pg_ident.conf for Kerberos connections where the > admin could implement a mapping. > > We should probably also have a configurable option to check > the realm or to not check the realm. I'd like to look into > doing this for 8.2 but, as usual, I'm not sure I'll have > time. Anyone else looking into this? They're both on my personal TODO (not .k5login, but a pg_ident-kind-of-mapping), but with the same disclaimer as you - I don't know if I'll have enough time. //Magnus
