* Brian Crowell (brian@xxxxxxxxxx) wrote: > https://github.com/npgsql/Npgsql/issues/162#issuecomment-35916650 Reading through this- can't you use GSSAPI to get the Kerberos princ found the ticket which is constructed? I'm pretty sure the MIT libraries support that, at least... > The short version is that Postgres requires two user names when using > GSSAPI/SSPI: one from the startup packet, and one from the Kerberos ticket, > and if these don't match exactly, the login fails. It's generally > impossible to determine the correct user name to send in the startup packet. Just as with .k5login, they do *not* have to match, but if they don't then there needs to be a mapping provided from the Kerberos princ to the PG username. Check out pg_ident and note that it even supports regexp's, so you may be able to construct a mapping such that the princ is mixed case and the login works- provided you send the lowercase'd username as the PG user to log in as. > I think Postgres should either not require or ignore the user name in the > startup packet for these two login types. What do you think? We need the username to figure out which auth method we're using... Thanks, Stephen
Attachment:
signature.asc
Description: Digital signature
