Re: Design Considerations for New Authentication Methods

Josh Berkus <josh@agliodbs.com>

From: Josh Berkus <josh@agliodbs.com>
To: pgsql-hackers@postgresql.org
Cc: "Magnus Hagander" <mha@sollentuna.net>, mark@mark.mielke.cc, "Joshua D. Drake" <jd@commandprompt.com>, "Tom Lane" <tgl@sss.pgh.pa.us>, "Andrew Sullivan" <ajs@crankycanuck.ca>
Date: 2006-11-04T20:03:12Z
Lists: pgsql-hackers
Tom, Josh, etc.:

> But if you're looking for a "big application" that uses Kerberos,
> there's that pesky thing called Windows. Every single Windows machine in
> an active directory domain environment is a Kerberos client, and uses
> Kerberos for authentication to all network services.

Kerberos with GSSAPI is also widely used for Solaris, so supporting it helps a 
lot in getting a large proportion of Solaris users to adopt PostgreSQL.

> So Kerberos is definitly big. And more and more apps do support GSSAPI
> for authentication. Not that many apps support "raw kerberos" as pgsql
> does, probably because it does have some compatibility issues and such
> things.

Yes ... if we were looking to cut down on both code and dependency bugs, we 
might consider desupporting "raw Kerberos".   At this point, I think that 
everyone who supports Kerberos supports GSSAPI, unless we're still committed 
to supporting users of Red Hat 7.0 (Tom?).

-- 
Josh Berkus
PostgreSQL @ Sun
San Francisco