Explicitly require MIT Kerberos for GSSAPI
WHen building with GSSAPI support, explicitly require MIT Kerberos and check for gssapi_ext.h in configure.ac and meson.build. Also add documentation explicitly stating that we now require MIT Kerberos when building with GSSAPI support. Reveiwed by: Johnathan Katz Discussion: https://postgr.es/m/abcc73d0-acf7-6896-e0dc-f5bc12a61bb1@postgresql.org
This commit is contained in:
parent
6633cfb216
commit
f7431bca8b
|
@ -14104,6 +14104,33 @@ done
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
done
|
||||||
|
|
||||||
|
for ac_header in gssapi/gssapi_ext.h
|
||||||
|
do :
|
||||||
|
ac_fn_c_check_header_mongrel "$LINENO" "gssapi/gssapi_ext.h" "ac_cv_header_gssapi_gssapi_ext_h" "$ac_includes_default"
|
||||||
|
if test "x$ac_cv_header_gssapi_gssapi_ext_h" = xyes; then :
|
||||||
|
cat >>confdefs.h <<_ACEOF
|
||||||
|
#define HAVE_GSSAPI_GSSAPI_EXT_H 1
|
||||||
|
_ACEOF
|
||||||
|
|
||||||
|
else
|
||||||
|
for ac_header in gssapi_ext.h
|
||||||
|
do :
|
||||||
|
ac_fn_c_check_header_mongrel "$LINENO" "gssapi_ext.h" "ac_cv_header_gssapi_ext_h" "$ac_includes_default"
|
||||||
|
if test "x$ac_cv_header_gssapi_ext_h" = xyes; then :
|
||||||
|
cat >>confdefs.h <<_ACEOF
|
||||||
|
#define HAVE_GSSAPI_EXT_H 1
|
||||||
|
_ACEOF
|
||||||
|
|
||||||
|
else
|
||||||
|
as_fn_error $? "gssapi_ext.h header file is required for GSSAPI" "$LINENO" 5
|
||||||
|
fi
|
||||||
|
|
||||||
|
done
|
||||||
|
|
||||||
|
fi
|
||||||
|
|
||||||
done
|
done
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
|
@ -1562,6 +1562,8 @@ fi
|
||||||
if test "$with_gssapi" = yes ; then
|
if test "$with_gssapi" = yes ; then
|
||||||
AC_CHECK_HEADERS(gssapi/gssapi.h, [],
|
AC_CHECK_HEADERS(gssapi/gssapi.h, [],
|
||||||
[AC_CHECK_HEADERS(gssapi.h, [], [AC_MSG_ERROR([gssapi.h header file is required for GSSAPI])])])
|
[AC_CHECK_HEADERS(gssapi.h, [], [AC_MSG_ERROR([gssapi.h header file is required for GSSAPI])])])
|
||||||
|
AC_CHECK_HEADERS(gssapi/gssapi_ext.h, [],
|
||||||
|
[AC_CHECK_HEADERS(gssapi_ext.h, [], [AC_MSG_ERROR([gssapi_ext.h header file is required for GSSAPI])])])
|
||||||
fi
|
fi
|
||||||
|
|
||||||
PGAC_PATH_PROGS(OPENSSL, openssl)
|
PGAC_PATH_PROGS(OPENSSL, openssl)
|
||||||
|
|
|
@ -1426,7 +1426,7 @@ omicron bryanh guest1
|
||||||
The keytab file is generated using the Kerberos software; see the
|
The keytab file is generated using the Kerberos software; see the
|
||||||
Kerberos documentation for details. The following example shows
|
Kerberos documentation for details. The following example shows
|
||||||
doing this using the <application>kadmin</application> tool of
|
doing this using the <application>kadmin</application> tool of
|
||||||
MIT-compatible Kerberos 5 implementations:
|
MIT Kerberos:
|
||||||
<screen>
|
<screen>
|
||||||
<prompt>kadmin% </prompt><userinput>addprinc -randkey postgres/server.my.domain.org</userinput>
|
<prompt>kadmin% </prompt><userinput>addprinc -randkey postgres/server.my.domain.org</userinput>
|
||||||
<prompt>kadmin% </prompt><userinput>ktadd -k krb5.keytab postgres/server.my.domain.org</userinput>
|
<prompt>kadmin% </prompt><userinput>ktadd -k krb5.keytab postgres/server.my.domain.org</userinput>
|
||||||
|
|
|
@ -252,9 +252,9 @@ documentation. See standalone-profile.xsl for details.
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
You need <application>Kerberos</application>, <productname>OpenLDAP</productname>,
|
You need <application>MIT Kerberos</application> (for GSSAPI),
|
||||||
and/or <application>PAM</application>, if you want to support authentication
|
<productname>OpenLDAP</productname>, and/or <application>PAM</application>,
|
||||||
using those services.
|
if you want to support authentication using those services.
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
|
@ -1048,9 +1048,9 @@ build-postgresql:
|
||||||
<term><option>--with-gssapi</option></term>
|
<term><option>--with-gssapi</option></term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
Build with support for GSSAPI authentication. On many systems, the
|
Build with support for GSSAPI authentication. MIT Kerberos is required
|
||||||
GSSAPI system (usually a part of the Kerberos installation) is not
|
to be installed for GSSAPI. On many systems, the GSSAPI system (a part
|
||||||
installed in a location
|
of the MIT Kerberos installation) is not installed in a location
|
||||||
that is searched by default (e.g., <filename>/usr/include</filename>,
|
that is searched by default (e.g., <filename>/usr/include</filename>,
|
||||||
<filename>/usr/lib</filename>), so you must use the options
|
<filename>/usr/lib</filename>), so you must use the options
|
||||||
<option>--with-includes</option> and <option>--with-libraries</option> in
|
<option>--with-includes</option> and <option>--with-libraries</option> in
|
||||||
|
@ -2497,10 +2497,11 @@ ninja install
|
||||||
<term><option>-Dgssapi={ auto | enabled | disabled }</option></term>
|
<term><option>-Dgssapi={ auto | enabled | disabled }</option></term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
Build with support for GSSAPI authentication. On many systems, the
|
Build with support for GSSAPI authentication. MIT Kerberos is required
|
||||||
GSSAPI system (usually a part of the Kerberos installation) is not
|
to be installed for GSSAPI. On many systems, the GSSAPI system (a part
|
||||||
installed in a location that is searched by default (e.g.,
|
of the MIT Kerberos installation) is not installed in a location
|
||||||
<filename>/usr/include</filename>, <filename>/usr/lib</filename>). In
|
that is searched by default (e.g., <filename>/usr/include</filename>,
|
||||||
|
<filename>/usr/lib</filename>). In
|
||||||
those cases, PostgreSQL will query <command>pkg-config</command> to
|
those cases, PostgreSQL will query <command>pkg-config</command> to
|
||||||
detect the required compiler and linker options. Defaults to auto.
|
detect the required compiler and linker options. Defaults to auto.
|
||||||
<filename>meson configure</filename> will check for the required
|
<filename>meson configure</filename> will check for the required
|
||||||
|
|
10
meson.build
10
meson.build
|
@ -623,6 +623,16 @@ if not gssapiopt.disabled()
|
||||||
have_gssapi = false
|
have_gssapi = false
|
||||||
endif
|
endif
|
||||||
|
|
||||||
|
if not have_gssapi
|
||||||
|
elif cc.check_header('gssapi/gssapi_ext.h', dependencies: gssapi, required: false,
|
||||||
|
args: test_c_args, include_directories: postgres_inc)
|
||||||
|
cdata.set('HAVE_GSSAPI_GSSAPI_EXT_H', 1)
|
||||||
|
elif cc.check_header('gssapi_ext.h', args: test_c_args, dependencies: gssapi, required: gssapiopt)
|
||||||
|
cdata.set('HAVE_GSSAPI_EXT_H', 1)
|
||||||
|
else
|
||||||
|
have_gssapi = false
|
||||||
|
endif
|
||||||
|
|
||||||
if not have_gssapi
|
if not have_gssapi
|
||||||
elif cc.has_function('gss_init_sec_context', dependencies: gssapi,
|
elif cc.has_function('gss_init_sec_context', dependencies: gssapi,
|
||||||
args: test_c_args, include_directories: postgres_inc)
|
args: test_c_args, include_directories: postgres_inc)
|
||||||
|
|
|
@ -922,8 +922,9 @@ pg_GSS_recvauth(Port *port)
|
||||||
gss_cred_id_t delegated_creds;
|
gss_cred_id_t delegated_creds;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Use the configured keytab, if there is one. Unfortunately, Heimdal
|
* Use the configured keytab, if there is one. As we now require MIT
|
||||||
* doesn't support the cred store extensions, so use the env var.
|
* Kerberos, we might consider using the credential store extensions in
|
||||||
|
* the future instead of the environment variable.
|
||||||
*/
|
*/
|
||||||
if (pg_krb_server_keyfile != NULL && pg_krb_server_keyfile[0] != '\0')
|
if (pg_krb_server_keyfile != NULL && pg_krb_server_keyfile[0] != '\0')
|
||||||
{
|
{
|
||||||
|
|
|
@ -526,8 +526,9 @@ secure_open_gssapi(Port *port)
|
||||||
PqGSSRecvLength = PqGSSResultLength = PqGSSResultNext = 0;
|
PqGSSRecvLength = PqGSSResultLength = PqGSSResultNext = 0;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Use the configured keytab, if there is one. Unfortunately, Heimdal
|
* Use the configured keytab, if there is one. As we now require MIT
|
||||||
* doesn't support the cred store extensions, so use the env var.
|
* Kerberos, we might consider using the credential store extensions in the
|
||||||
|
* future instead of the environment variable.
|
||||||
*/
|
*/
|
||||||
if (pg_krb_server_keyfile != NULL && pg_krb_server_keyfile[0] != '\0')
|
if (pg_krb_server_keyfile != NULL && pg_krb_server_keyfile[0] != '\0')
|
||||||
{
|
{
|
||||||
|
|
Loading…
Reference in New Issue