*** pgsql/src/backend/libpq/auth.c 2009/01/07 13:09:21 1.177 --- pgsql/src/backend/libpq/auth.c 2009/01/09 10:13:18 1.178 *************** *** 8,14 **** * * * IDENTIFICATION ! * $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.176 2009/01/07 12:38:11 mha Exp $ * *------------------------------------------------------------------------- */ --- 8,14 ---- * * * IDENTIFICATION ! * $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.177 2009/01/07 13:09:21 mha Exp $ * *------------------------------------------------------------------------- */ *************** static int CheckCertAuth(Port *port); *** 129,136 **** char *pg_krb_server_keyfile; char *pg_krb_srvnam; bool pg_krb_caseins_users; - char *pg_krb_server_hostname = NULL; - char *pg_krb_realm = NULL; /*---------------------------------------------------------------- --- 129,134 ---- *************** pg_krb5_init(Port *port) *** 645,654 **** * If no hostname was specified, pg_krb_server_hostname is already NULL. * If it's set to blank, force it to NULL. */ ! if (port->hba->krb_server_hostname) ! khostname = port->hba->krb_server_hostname; ! else ! khostname = pg_krb_server_hostname; if (khostname && khostname[0] == '\0') khostname = NULL; --- 643,649 ---- * If no hostname was specified, pg_krb_server_hostname is already NULL. * If it's set to blank, force it to NULL. */ ! khostname = port->hba->krb_server_hostname; if (khostname && khostname[0] == '\0') khostname = NULL; *************** pg_krb5_recvauth(Port *port) *** 694,700 **** krb5_ticket *ticket; char *kusername; char *cp; - char *realmmatch; if (get_role_line(port->user_name) == NULL) return STATUS_ERROR; --- 689,694 ---- *************** pg_krb5_recvauth(Port *port) *** 740,750 **** return STATUS_ERROR; } - if (port->hba->krb_realm) - realmmatch = port->hba->krb_realm; - else - realmmatch = pg_krb_realm; - cp = strchr(kusername, '@'); if (cp) { --- 734,739 ---- *************** pg_krb5_recvauth(Port *port) *** 757,775 **** *cp = '\0'; cp++; ! if (realmmatch != NULL && strlen(realmmatch)) { /* Match realm against configured */ if (pg_krb_caseins_users) ! ret = pg_strcasecmp(realmmatch, cp); else ! ret = strcmp(realmmatch, cp); if (ret) { elog(DEBUG2, "krb5 realm (%s) and configured realm (%s) don't match", ! cp, realmmatch); krb5_free_ticket(pg_krb5_context, ticket); krb5_auth_con_free(pg_krb5_context, auth_context); --- 746,764 ---- *cp = '\0'; cp++; ! if (port->hba->krb_realm != NULL && strlen(port->hba->krb_realm)) { /* Match realm against configured */ if (pg_krb_caseins_users) ! ret = pg_strcasecmp(port->hba->krb_realm, cp); else ! ret = strcmp(port->hba->krb_realm, cp); if (ret) { elog(DEBUG2, "krb5 realm (%s) and configured realm (%s) don't match", ! cp, port->hba->krb_realm); krb5_free_ticket(pg_krb5_context, ticket); krb5_auth_con_free(pg_krb5_context, auth_context); *************** pg_krb5_recvauth(Port *port) *** 777,783 **** } } } ! else if (realmmatch && strlen(realmmatch)) { elog(DEBUG2, "krb5 did not return realm but realm matching was requested"); --- 766,772 ---- } } } ! else if (port->hba->krb_realm&& strlen(port->hba->krb_realm)) { elog(DEBUG2, "krb5 did not return realm but realm matching was requested"); *************** pg_GSS_recvauth(Port *port) *** 874,880 **** int ret; StringInfoData buf; gss_buffer_desc gbuf; - char *realmmatch; /* * GSS auth is not supported for protocol versions before 3, because it --- 863,868 ---- *************** pg_GSS_recvauth(Port *port) *** 1034,1044 **** gettext_noop("retrieving GSS user name failed"), maj_stat, min_stat); - if (port->hba->krb_realm) - realmmatch = port->hba->krb_realm; - else - realmmatch = pg_krb_realm; - /* * Split the username at the realm separator */ --- 1022,1027 ---- *************** pg_GSS_recvauth(Port *port) *** 1055,1082 **** *cp = '\0'; cp++; ! if (realmmatch != NULL && strlen(realmmatch)) { /* * Match the realm part of the name first */ if (pg_krb_caseins_users) ! ret = pg_strcasecmp(realmmatch, cp); else ! ret = strcmp(realmmatch, cp); if (ret) { /* GSS realm does not match */ elog(DEBUG2, "GSSAPI realm (%s) and configured realm (%s) don't match", ! cp, realmmatch); gss_release_buffer(&lmin_s, &gbuf); return STATUS_ERROR; } } } ! else if (realmmatch && strlen(realmmatch)) { elog(DEBUG2, "GSSAPI did not return realm but realm matching was requested"); --- 1038,1065 ---- *cp = '\0'; cp++; ! if (port->hba->krb_realm != NULL && strlen(port->hba->krb_realm)) { /* * Match the realm part of the name first */ if (pg_krb_caseins_users) ! ret = pg_strcasecmp(port->hba->krb_realm, cp); else ! ret = strcmp(port->hba->krb_realm, cp); if (ret) { /* GSS realm does not match */ elog(DEBUG2, "GSSAPI realm (%s) and configured realm (%s) don't match", ! cp, port->hba->krb_realm); gss_release_buffer(&lmin_s, &gbuf); return STATUS_ERROR; } } } ! else if (port->hba->krb_realm && strlen(port->hba->krb_realm)) { elog(DEBUG2, "GSSAPI did not return realm but realm matching was requested"); *************** pg_SSPI_recvauth(Port *port) *** 1140,1146 **** SID_NAME_USE accountnameuse; HMODULE secur32; QUERY_SECURITY_CONTEXT_TOKEN_FN _QuerySecurityContextToken; - char *realmmatch; /* * SSPI auth is not supported for protocol versions before 3, because it --- 1123,1128 ---- *************** pg_SSPI_recvauth(Port *port) *** 1353,1370 **** * Compare realm/domain if requested. In SSPI, always compare case * insensitive. */ ! if (port->hba->krb_realm) ! realmmatch = port->hba->krb_realm; ! else ! realmmatch = pg_krb_realm; ! ! if (realmmatch && strlen(realmmatch)) { ! if (pg_strcasecmp(realmmatch, domainname)) { elog(DEBUG2, "SSPI domain (%s) and configured domain (%s) don't match", ! domainname, realmmatch); return STATUS_ERROR; } --- 1335,1347 ---- * Compare realm/domain if requested. In SSPI, always compare case * insensitive. */ ! if (port->hba->krb_realm && strlen(port->hba->krb_realm)) { ! if (pg_strcasecmp(port->hba->krb_realm, domainname)) { elog(DEBUG2, "SSPI domain (%s) and configured domain (%s) don't match", ! domainname, port->hba->krb_realm); return STATUS_ERROR; }