b09f930d2e
Add hba parameter include_realm to krb5, gss and sspi authentication, used
...
to pass the full username@realm string to the authentication instead of
just the username. This makes it possible to use pg_ident.conf to authenticate
users from multiple realms as different database users.
2009-01-07 13:09:21 +00:00
32c469d7b1
Allow krb_realm (krb5, gssapi and sspi) and krb_server_hostname (krb5 only)
...
authentication options to be set in pg_hba.conf on a per-line basis, to
override the defaults set in postgresql.conf.
2009-01-07 12:38:11 +00:00
511db38ace
Update copyright for 2009.
2009-01-01 17:24:05 +00:00
170b66a0c5
Issue a proper error message when MD5 is attempted when
...
db_user_namespace is enabled.
Also document this limitation.
2008-11-20 20:45:30 +00:00
f179d5ea99
Add support for using SSL client certificates to authenticate to the
...
database (only for SSL connections, obviously).
2008-11-20 11:48:26 +00:00
3c486fbd1c
Control client certificate requesting with the pg_hba option "clientcert"
...
instead of just relying on the root certificate file to be present.
2008-11-20 09:29:36 +00:00
f426fbf746
Ident authentication over Unix-domain sockets on Solaris, using
...
getpeerucred() function.
Author: Garick Hamlin <ghamlin@isc.upenn.edu>
2008-11-18 13:10:20 +00:00
53a5026b5c
Remove support for (insecure) crypt authentication.
...
This breaks compatibility with pre-7.2 versions.
2008-10-28 12:10:44 +00:00
7356381ef5
* make pg_hba authoption be a set of 0 or more name=value pairs
...
* make LDAP use this instead of the hacky previous method to specify
the DN to bind as
* make all auth options behave the same when they are not compiled
into the server
* rename "ident maps" to "user name maps", and support them for all
auth methods that provide an external username
This makes a backwards incompatible change in the format of pg_hba.conf
for the ident, PAM and LDAP authentication methods.
2008-10-23 13:31:10 +00:00
9872381090
Parse pg_hba.conf in postmaster, instead of once in each backend for
...
each connection. This makes it possible to catch errors in the pg_hba
file when it's being reloaded, instead of silently reloading a broken
file and failing only when a user tries to connect.
This patch also makes the "sameuser" argument to ident authentication
optional.
2008-09-15 12:32:57 +00:00
26e6991a2d
Rearrange the code in auth.c so that all functions for a single authentication
...
method is grouped together in a reasonably similar way, keeping the "global
shared functions" together in their own section as well. Makes it a lot easier
to find your way around the code.
2008-08-01 11:41:12 +00:00
c30c1b8786
Move ident authentication code into auth.c along with the other authenciation
...
routines, leaving hba.c to deal only with processing the HBA specific files.
2008-08-01 09:09:49 +00:00
94be06af76
Fix parsing of LDAP URLs so it doesn't reject spaces in the "suffix" part.
...
Per report from César Miguel Oliveira Alves.
2008-07-24 17:51:55 +00:00
81e770857d
Since GSSAPI and SSPI authentication don't work in protocol version 2,
...
issue a helpful error message instead of sending unparsable garbage.
(It is clearly a design error that this doesn't work, but fixing it
is not worth the trouble at this point.) Per discussion.
2008-02-08 17:58:46 +00:00
b58d8c9a53
Don't putenv() a string that is allocated in a context that will go away
...
soon. I suspect this explains bug #3902 , though I'm still not able to
reproduce that.
2008-01-30 04:11:19 +00:00
9098ab9e32
Update copyrights in source tree to 2008.
2008-01-01 19:46:01 +00:00
178c78c79f
Fix typo
2007-11-28 13:30:16 +00:00
542d04e179
correct capitalization
2007-11-27 12:17:27 +00:00
fdf5a5efb7
pgindent run for 8.3.
2007-11-15 21:14:46 +00:00
166f67cebe
Message improvements
2007-11-15 20:04:38 +00:00
4b606ee444
Add parameter krb_realm used by GSSAPI, SSPI and Kerberos
...
to validate the realm of the connecting user. By default
it's empty meaning no verification, which is the way
Kerberos authentication has traditionally worked in
PostgreSQL.
2007-11-09 17:31:07 +00:00
7f9de5407a
Fix GSS API pointer checking.
...
Kris Jurka
2007-09-14 15:58:02 +00:00
d602592494
Make it possible, and default, for MingW to build with SSPI support
...
by dynamically loading the function that's missing from the MingW
headers and library.
2007-07-24 09:00:27 +00:00
f70866fb23
SSPI authentication on Windows. GSSAPI compatible client when doing Kerberos
...
against a Unix server, and Windows-specific server-side authentication
using SSPI "negotiate" method (Kerberos or NTLM).
Only builds properly with MSVC for now.
2007-07-23 10:16:54 +00:00
72c7badbab
Fix some warnings (probably actual bugs) generated by new GSSAPI code
...
when built on a 64-bit machine. Per buildfarm results extracted by Stefan.
2007-07-12 20:36:11 +00:00
784fd04940
Enable GSSAPI to build using MSVC. Always build GSSAPI when Kerberos is
...
enabled, because the only Kerberos library supported always contains it.
2007-07-12 14:43:21 +00:00
65a513c249
Support GSSAPI builds where the header is <gssapi.h> and not <gssapi/gssapi.h>,
...
such as OpenBSD (possibly all Heimdal).
Stefan Kaltenbrunner
2007-07-12 14:36:52 +00:00
31013db0a1
A bunch of GSSAPI fixes per comments from Tom:
...
* use elog not ereport for debug
* fix debug levels for some output
* properly check for memory allocation errors in a couple of missed places
2007-07-11 08:27:33 +00:00
6160106c74
Add support for GSSAPI authentication.
...
Documentation still being written, will be committed later.
Henry B. Hotz and Magnus Hagander
2007-07-10 13:14:22 +00:00
fe03a5f4ae
Check if the role exists before doing more complex ident and Kerberos
...
authentication checks in the backend.
Gavin Sherry
2007-02-08 04:52:18 +00:00
29dccf5fe0
Update CVS HEAD for 2007 copyright. Back branches are typically not
...
back-stamped for this.
2007-01-05 22:20:05 +00:00
62fe410ec6
Minor fix for LDAP authentication: if an error occurs, we need to
...
manually release the LDAP handle via ldap_unbind(). This isn't a
significant problem in practice because an error eventually results
in exiting the process, but we can cleanup correctly without too
much pain.
In passing, fix an error in snprintf() usage: the "size" parameter
to snprintf() is the size of the destination buffer, including space
for the NUL terminator. Also, depending on the value of NAMEDATALEN,
the old coding could have allowed for a buffer overflow.
2006-11-06 01:27:52 +00:00
b9b4f10b5b
Message style improvements
2006-10-06 17:14:01 +00:00
f99a569a2e
pgindent run for 8.2.
2006-10-04 00:30:14 +00:00
45c8ed96b9
Make some sentences consistent with similar ones.
...
Euler Taveira de Oliveira
2006-10-03 21:21:36 +00:00
0b52204f0d
Remove WINLDAPAPI decoration from ldap_start_tls_sA typedef, per Magnus.
2006-09-15 21:28:08 +00:00
daebd5257c
Ooops, ldap fix for win32 broke the non-win32 case.
2006-08-22 02:23:45 +00:00
5405576a22
Fix encrypted-LDAP support so that it doesn't cause the server to fail
...
entirely on older Windows platforms without the needed library function.
Magnus Hagander
2006-08-21 19:21:38 +00:00
e0522505bd
Remove 576 references of include files that were not needed.
2006-07-14 14:52:27 +00:00
ae643747b1
Fix a passel of recently-committed violations of the rule 'thou shalt
...
have no other gods before c.h'. Also remove some demonstrably redundant
#include lines, mostly of <errno.h> which was added to c.h years ago.
2006-07-14 05:28:29 +00:00
a22d76d96a
Allow include files to compile own their own.
...
Strip unused include files out unused include files, and add needed
includes to C files.
The next step is to remove unused include files in C files.
2006-07-13 16:49:20 +00:00
92f5bfcc0f
Fix invalid use of #if within a macro, per Laurenz Albe. Also try to
...
make the LDAP code's error messages look like they were written by someone
who had heard of our style guidelines.
2006-03-16 18:11:17 +00:00
357cc01e57
This patch adds native LDAP auth, for those platforms that don't have
...
PAM (such as Win32, but also unixen without PAM). On Unix, uses
OpenLDAP. On win32, uses the builin WinLDAP library.
Magnus Hagander
2006-03-06 17:41:44 +00:00
f2f5b05655
Update copyright for 2006. Update scripts.
2006-03-05 15:59:11 +00:00
436a2956d8
Re-run pgindent, fixing a problem where comment lines after a blank
...
comment line where output as too long, and update typedefs for /lib
directory. Also fix case where identifiers were used as variable names
in the backend, but as typedefs in ecpg (favor the backend for
indenting).
Backpatch to 8.1.X.
2005-11-22 18:17:34 +00:00
d330f1554d
Clean up libpq's pollution of application namespace by renaming the
...
exported routines of ip.c, md5.c, and fe-auth.c to begin with 'pg_'.
Also get rid of the vestigial fe_setauthsvc/fe_getauthsvc routines
altogether.
2005-10-17 16:24:20 +00:00
98d5f4e574
kerberos error message: localhost -> server hostname
2005-10-15 21:27:19 +00:00
1dc3498251
Standard pgindent run for 8.1.
2005-10-15 02:49:52 +00:00
5aae047e23
Update krb_server_name to document that a missing entry defaults to
...
'localhost'.
Improve kerberos error message.
2005-10-13 22:55:19 +00:00
18d0ca2d1b
Fix Kerberos authentication in wake of virtual-hosts changes --- need
...
to call krb5_sname_to_principal() always. Also, use krb_srvname rather
than the hardwired string 'postgres' as the appl_version string in the
krb5_sendauth/recvauth calls, to avoid breaking compatibility with PG
8.0. Magnus Hagander
2005-10-08 19:32:58 +00:00
Magnus Hagander
Bruce Momjian
Peter Eisentraut
Tom Lane
Neil Conway