database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-08-06 18:42:54 +03:00
Code Activity

Cleanups from the remove-native-krb5 patch

Browse Source 
krb_srvname is actually not available anymore as a parameter server-side, since
with gssapi we accept all principals in our keytab. It's still used in libpq for
client side specification.

In passing remove declaration of krb_server_hostname, where all the functionality
was already removed.

Noted by Stephen Frost, though a different solution than his suggestion
This commit is contained in:
Magnus Hagander
2014-03-16 15:18:52 +01:00
parent e3c9f23250
commit 0294023a6b
7 changed files with 9 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
doc/src/sgml/client-auth.sgml
View File

@@ -923,17 +923,15 @@ omicron bryanh guest1
<productname>Kerberos</productname>, it uses a standard principal
in the format
<literal><replaceable>servicename</>/<replaceable>hostname</>@<replaceable>realm</></literal>.
<replaceable>servicename</> can be set on the server side using the
<xref linkend="guc-krb-srvname"> configuration parameter, and on the
client side using the <literal>krbsrvname</> connection parameter. (See
The PostgreSQL server will accept any principal that is included in the keytab used by
the server, but care needs to be taken to specify the correct principal details when
making the connection from the client using the <literal>krbsrvname</> connection parameter. (See
also <xref linkend="libpq-paramkeywords">.) The installation default can be
changed from the default <literal>postgres</literal> at build time using
<literal>./configure --with-krb-srvnam=</><replaceable>whatever</>.
In most environments,
this parameter never needs to be changed. However, it is necessary
when supporting multiple <productname>PostgreSQL</> installations
on the same host.
Some Kerberos implementations might also require a different service name,
this parameter never needs to be changed.
Some Kerberos implementations might require a different service name,
such as Microsoft Active Directory which requires the service name
to be in upper case (<literal>POSTGRES</literal>).
</para>
@@ -964,6 +962,9 @@ omicron bryanh guest1
parameter. The default is
<filename>/usr/local/pgsql/etc/krb5.keytab</> (or whatever
directory was specified as <varname>sysconfdir</> at build time).
For security reasons, it is recommended to use a separate keytab
just for the <productname>PostgreSQL</productname> server rather
than opening up permissions on the system keytab file.
</para>
<para>
The keytab file is generated by the Kerberos software; see the