database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-07-28 23:42:10 +03:00
Code Activity

Make krb_realm and krb_server_hostname be pg_hba options only, and remove

Browse Source 
their GUCs.

In passing, noted that the pg_hba options for krb5 authentication weren't
listed at all - so add this.
This commit is contained in:
Magnus Hagander
2009-01-09 10:13:19 +00:00
parent 32e1265dd9
commit 1b4e729eaa
5 changed files with 72 additions and 112 deletions
Download Patch File Download Diff File Expand all files Collapse all files

71
doc/src/sgml/client-auth.sgml
View File

@ -1,4 +1,4 @@
<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.117 2009/01/07 13:09:21 mha Exp $ -->
<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.118 2009/01/09 10:13:18 mha Exp $ -->
<chapter id="client-authentication">
<title>Client Authentication</title>
@ -801,18 +801,8 @@ omicron bryanh guest1
<term>krb_realm</term>
<listitem>
<para>
Overrides the <xref linkend="guc-krb-realm"> parameter, setting which realm
to verify the authenticated user principal against.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>krb_server_hostname</term>
<listitem>
<para>
Overrides the <xref linkend="guc-krb-server-hostname"> parameter, setting which
hostname will be used for the server principal when using Kerberos.
Sets the realm to match user principal names against. If this parameter
is not set, the realm of the user will be ignored.
</para>
</listitem>
</varlistentry>
@ -874,8 +864,8 @@ omicron bryanh guest1
<term>krb_realm</term>
<listitem>
<para>
Overrides the <xref linkend="guc-krb-realm"> parameter, setting which realm
to verify the authenticated user principal against.
Sets the realm to match user principal names against. If this parameter
is not set, the realm of the user will be ignored.
</para>
</listitem>
</varlistentry>
@ -953,7 +943,7 @@ omicron bryanh guest1
<literal>pgusername@realm</>. By default, the realm of the client is
not checked by <productname>PostgreSQL</>. If you have cross-realm
authentication enabled and need to verify the realm, use the
<xref linkend="guc-krb-realm"> parameter.
krb_realm parameter in <filename>pg_hba.conf</>.
</para>
<para>
@ -996,6 +986,55 @@ omicron bryanh guest1
database access over the web, no extra passwords required.
</para>
<para>
The following configuration options are supported for <productname>Kerberos</productname>:
<variablelist>
<varlistentry>
<term>map</term>
<listitem>
<para>
Allows for mapping between system and database usernames. See
<xref linkend="auth-username-maps"> for details.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>include_realm</term>
<listitem>
<para>
Include the realm name from the authenticated user principal. This is useful
in combination with Username maps (See <xref linkend="auth-username-maps">
for details), especially with regular expressions, to map users from
multiple realms.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>krb_realm</term>
<listitem>
<para>
Sets the realm to match user principal names against. If this parameter
is not set, the realm of the user will be ignored.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>krb_server_hostname</term>
<listitem>
<para>
Sets the host name part of the service principal.
This, combined with <varname>krb_srvname</>, is used to generate
the complete service principal, that is
<varname>krb_srvname</><literal>/</><varname>krb_server_hostname</><literal>@</>REALM.
If not set, the default is the server host name.
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</sect2>
<sect2 id="auth-ident">

36
doc/src/sgml/config.sgml
View File

@ -1,4 +1,4 @@
<!-- $PostgreSQL: pgsql/doc/src/sgml/config.sgml,v 1.203 2009/01/07 22:40:48 tgl Exp $ -->
<!-- $PostgreSQL: pgsql/doc/src/sgml/config.sgml,v 1.204 2009/01/09 10:13:18 mha Exp $ -->
<chapter Id="runtime-config">
<title>Server Configuration</title>
@ -612,22 +612,6 @@ SET ENABLE_SEQSCAN TO OFF;
</listitem>
</varlistentry>
<varlistentry id="guc-krb-realm" xreflabel="krb_realm">
<term><varname>krb_realm</varname> (<type>string</type>)</term>
<indexterm>
<primary><varname>krb_realm</> configuration parameter</primary>
</indexterm>
<listitem>
<para>
Sets the realm to match Kerberos, GSSAPI and SSPI user names against.
See <xref linkend="kerberos-auth">, <xref linkend="gssapi-auth"> or
<xref linkend="sspi-auth"> for details. This parameter can only be
set in the <filename>postgresql.conf</> file or on the server
command line.
</para>
</listitem>
</varlistentry>
<varlistentry id="guc-krb-server-keyfile" xreflabel="krb_server_keyfile">
<term><varname>krb_server_keyfile</varname> (<type>string</type>)</term>
<indexterm>
@ -657,24 +641,6 @@ SET ENABLE_SEQSCAN TO OFF;
</listitem>
</varlistentry>
<varlistentry id="guc-krb-server-hostname" xreflabel="krb_server_hostname">
<term><varname>krb_server_hostname</varname> (<type>string</type>)</term>
<indexterm>
<primary><varname>krb_server_hostname</> configuration parameter</primary>
</indexterm>
<listitem>
<para>
Sets the host name part of the service principal.
This, combined with <varname>krb_srvname</>, is used to generate
the complete service principal, that is
<varname>krb_srvname</><literal>/</><varname>krb_server_hostname</><literal>@</>REALM.
If not set, the default is the server host name. See <xref linkend="kerberos-auth">
for details. This parameter can only be set in the <filename>postgresql.conf</>
file or on the server command line.
</para>
</listitem>
</varlistentry>
<varlistentry id="guc-krb-caseins-users" xreflabel="krb_caseins_users">
<term><varname>krb_caseins_users</varname> (<type>boolean</type>)</term>
<indexterm>