Add hba parameter include_realm to krb5, gss and sspi authentication, used

to pass the full username@realm string to the authentication instead of just the username. This makes it possible to use pg_ident.conf to authenticate users from multiple realms as different database users.
author: Magnus Hagander 2009-01-07 13:09:21 +0000
committer: Magnus Hagander 2009-01-07 13:09:21 +0000
commit: f0f00307f4b2b526e4741490a44037e2802e2b6a (patch)
tree: 62a5dfe295f748a7c23d9c4c62cdc8e4d10f006c
parent: d2036196a9b5a97970751d253eb599f5791e00ec (diff)
4 files changed, 65 insertions, 3 deletions
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index e1bb7158bf..68cade19ec 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -786,6 +786,18 @@ omicron       bryanh            guest1
      </varlistentry>
 
      <varlistentry>
+      <term>include_realm</term>
+      <listitem>
+       <para>
+        Include the realm name from the authenticated user principal. This is useful
+        in combination with Username maps (See <xref linkend="auth-username-maps">
+        for details), especially with regular expressions, to map users from
+        multiple realms.
+       </para>
+      </listitem>
+     </varlistentry>
+
+     <varlistentry>
       <term>krb_realm</term>
       <listitem>
        <para>
@@ -847,6 +859,18 @@ omicron       bryanh            guest1
      </varlistentry>
 
      <varlistentry>
+      <term>include_realm</term>
+      <listitem>
+       <para>
+        Include the realm name from the authenticated user principal. This is useful
+        in combination with Username maps (See <xref linkend="auth-username-maps">
+        for details), especially with regular expressions, to map users from
+        multiple realms.
+       </para>
+      </listitem>
+     </varlistentry>
+
+     <varlistentry>
       <term>krb_realm</term>
       <listitem>
        <para>
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index a0545e8d85..fc3de097fe 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -748,7 +748,13 @@ pg_krb5_recvauth(Port *port)
 	cp = strchr(kusername, '@');
 	if (cp)
 	{
-		*cp = '\0';
+		/*
+		 * If we are not going to include the realm in the username that is passed
+		 * to the ident map, destructively modify it here to remove the realm. Then
+		 * advance past the separator to check the realm.
+		 */
+		if (!port->hba->include_realm)
+			*cp = '\0';
 		cp++;
 
 		if (realmmatch != NULL && strlen(realmmatch))
@@ -1040,7 +1046,13 @@ pg_GSS_recvauth(Port *port)
 	{
 		char	   *cp = strchr(gbuf.value, '@');
 
-		*cp = '\0';
+		/*
+		 * If we are not going to include the realm in the username that is passed
+		 * to the ident map, destructively modify it here to remove the realm. Then
+		 * advance past the separator to check the realm.
+		 */
+		if (!port->hba->include_realm)
+			*cp = '\0';
 		cp++;
 
 		if (realmmatch != NULL && strlen(realmmatch))
@@ -1361,8 +1373,22 @@ pg_SSPI_recvauth(Port *port)
 	/*
 	 * We have the username (without domain/realm) in accountname, compare to
 	 * the supplied value. In SSPI, always compare case insensitive.
+	 *
+	 * If set to include realm, append it in <username>@<realm> format.
 	 */
-	return check_usermap(port->hba->usermap, port->user_name, accountname, true);
+	if (port->hba->include_realm)
+	{
+		char   *namebuf;
+		int		retval;
+
+		namebuf = palloc(strlen(accountname) + strlen(domainname) + 2);
+		sprintf(namebuf, "%s@%s", accountname, domainname);
+		retval = check_usermap(port->hba->usermap, port->user_name, namebuf, true);
+		pfree(namebuf);
+		return retval;
+	}
+	else
+		return check_usermap(port->hba->usermap, port->user_name, accountname, true);
 }
 #endif   /* ENABLE_SSPI */
 
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index 0d83cceb89..a134b4565b 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -1053,6 +1053,17 @@ parse_hba_line(List *line, int line_num, HbaLine *parsedline)
 					INVALID_AUTH_OPTION("krb_realm", "krb5, gssapi and sspi");
 				parsedline->krb_realm = pstrdup(c);
 			}
+			else if (strcmp(token, "include_realm") == 0)
+			{
+				if (parsedline->auth_method != uaKrb5 &&
+					parsedline->auth_method != uaGSS &&
+					parsedline->auth_method != uaSSPI)
+					INVALID_AUTH_OPTION("include_realm", "krb5, gssapi and sspi");
+				if (strcmp(c, "1") == 0)
+					parsedline->include_realm = true;
+				else
+					parsedline->include_realm = false;
+			}
 			else
 			{
 				ereport(LOG,
diff --git a/src/include/libpq/hba.h b/src/include/libpq/hba.h
index 522a3b96df..c766352caa 100644
--- a/src/include/libpq/hba.h
+++ b/src/include/libpq/hba.h
@@ -58,6 +58,7 @@ typedef struct
 	bool		clientcert;
 	char	   *krb_server_hostname;
 	char	   *krb_realm;
+	bool		include_realm;
 } HbaLine;
 
 typedef struct Port hbaPort;
author	Magnus Hagander	2009-01-07 13:09:21 +0000
committer	Magnus Hagander	2009-01-07 13:09:21 +0000
commit	f0f00307f4b2b526e4741490a44037e2802e2b6a (patch)
tree	62a5dfe295f748a7c23d9c4c62cdc8e4d10f006c
parent	d2036196a9b5a97970751d253eb599f5791e00ec (diff)