|
Home > Archive > PostgreSQL JDBC > September 2005 > GSSAPI or Kerberos authentication problems
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
GSSAPI or Kerberos authentication problems
|
|
| Mike Warnecke 2005-09-14, 8:25 pm |
| Hi all, I'm new to this list, and I haven't been able to find a solution
to this problem by Googling, so I hope I'm not beating a dead horse
here.
I'm using the postgresql-jdbc driver with OpenOffice.org 2.0, and I
can't get it to use GSSAPI authentication using my Kerberos credentials.
I have no other apps that use postgresql-jdbc, but it appears as though
the problem is in this driver, not OOo.
psql And other apps using the native PostgreSQL interface work fine
using Kerberos authentication, just not JDBC.
Does the postgresql-jdbc driver support Kerberos/GSSAPI authentication?
If not, what is required to get it done?
--
Mike Warnecke <mike@audiowarehouse.ca>
Audio Warehouse
| |
| Kris Jurka 2005-09-14, 8:25 pm |
|
On Wed, 14 Sep 2005, Mike Warnecke wrote:
> I'm using the postgresql-jdbc driver with OpenOffice.org 2.0, and I
> can't get it to use GSSAPI authentication using my Kerberos credentials.
> I have no other apps that use postgresql-jdbc, but it appears as though
> the problem is in this driver, not OOo.
>
> psql And other apps using the native PostgreSQL interface work fine
> using Kerberos authentication, just not JDBC.
>
> Does the postgresql-jdbc driver support Kerberos/GSSAPI authentication?
> If not, what is required to get it done?
>
The JDBC driver does not currently support kerberos auth. Since the
driver is pure Java we cannot rely on the standard postgresql client
library (libpq) and its kerberos support. When the driver was initially
written the only kerberos support available required separate third party
libraries. With the availability of JAAS in JDK 1.3 and subsequent
integration in JDK 1.4 that is no longer the case. I imagine someone
familiar with JAAS and kerberos could add support to the driver relatively
easily, but Java and kerberos do not seem like a common combination (at
least in the Postgresql world). Without the expertise or the demand for
this feature it doesn't seem likely that it will happen anytime soon.
Kris Jurka
---------------------------(end of broadcast)---------------------------
TIP 3: Have you checked our extensive FAQ?
http://www.postgresql.org/docs/faq
| |
| Mike Warnecke 2005-09-14, 8:25 pm |
| On Wed, 2005-14-09 at 16:00 -0500, Kris Jurka wrote:
>
> On Wed, 14 Sep 2005, Mike Warnecke wrote:
>
>
> The JDBC driver does not currently support kerberos auth. Since the
> driver is pure Java we cannot rely on the standard postgresql client
> library (libpq) and its kerberos support. When the driver was initially
> written the only kerberos support available required separate third party
> libraries. With the availability of JAAS in JDK 1.3 and subsequent
> integration in JDK 1.4 that is no longer the case. I imagine someone
> familiar with JAAS and kerberos could add support to the driver relatively
> easily, but Java and kerberos do not seem like a common combination (at
> least in the Postgresql world). Without the expertise or the demand for
> this feature it doesn't seem likely that it will happen anytime soon.
So, if I need it, I'll need to learn JAAS, and contribute it then,
right?
As far as nobody using JDBC, PostgreSQL, and Kerberos together, I can't
understand why a single sign-on architecture with real security wouldn't
be more popular. But then again, look at the number of people still
using Zip encryption...
I think you've given me the necessary information with respect to JAAS
though. Thanks!
--
Mike Warnecke <mike@audiowarehouse.ca>
Audio Warehouse
| |
| Kris Jurka 2005-09-14, 8:25 pm |
|
On Wed, 14 Sep 2005, Mike Warnecke wrote:
> So, if I need it, I'll need to learn JAAS, and contribute it then,
> right?
Right, that'd be great.
> As far as nobody using JDBC, PostgreSQL, and Kerberos together, I can't
> understand why a single sign-on architecture with real security wouldn't
> be more popular. But then again, look at the number of people still
> using Zip encryption...
>
I think it's because JDBC is so often used as a server side technology
with one database user for all clients.
Kris Jurka
---------------------------(end of broadcast)---------------------------
TIP 3: Have you checked our extensive FAQ?
http://www.postgresql.org/docs/faq
| |
| Kris Jurka 2005-09-29, 8:24 pm |
| Mike Warnecke wrote:
> Does the postgresql-jdbc driver support Kerberos/GSSAPI authentication?
> If not, what is required to get it done?
>
>
Doing a little further reading and testing shows that the server would
need to be extended to provide GSSAPI support even though the underlying
authentication would be done using Kerberos. Java has Kerberos support,
but not the ability to "speak" it directly, only through the GSSAPI
interface.
Phil Dodderidge claimed to have this up and working quite some time ago,
perhaps he can share some more info...
http://archives.postgresql.org/pgsq...04/msg01461.php
Although I'm not sure people want GSSAPI support in the backend given
the comments on adding SASL support here:
http://archives.postgresql.org/pgsq...05/msg00760.php
Kris Jurka
|
|
|
|
|