database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-07-27 12:41:57 +03:00
Code Activity

Add parameter krb_realm used by GSSAPI, SSPI and Kerberos

Browse Source 
to validate the realm of the connecting user. By default
it's empty meaning no verification, which is the way
Kerberos authentication has traditionally worked in
PostgreSQL.
This commit is contained in:
Magnus Hagander
2007-11-09 17:31:07 +00:00
parent a7cd5a4aa0
commit 4b606ee444
6 changed files with 120 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
doc/src/sgml/client-auth.sgml
View File

@ -1,4 +1,4 @@
<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.101 2007/09/14 03:53:54 momjian Exp $ -->
<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.102 2007/11/09 17:31:07 mha Exp $ -->
<chapter id="client-authentication">
<title>Client Authentication</title>
@ -773,10 +773,10 @@ local db1,db2,@demodbs all md5
<para>
Client principals must have their <productname>PostgreSQL</> database user
name as their first component, for example
<literal>pgusername/otherstuff@realm</>. At present the realm of
the client is not checked by <productname>PostgreSQL</>; so if you
have cross-realm authentication enabled, then any principal in any
realm that can communicate with yours will be accepted.
<literal>pgusername@realm</>. By default, the realm of the client is
not checked by <productname>PostgreSQL</>. If you have cross-realm
authentication enabled and need to verify the realm, use the
<xref linkend="guc-krb-realm"> parameter.
</para>
<para>

17
doc/src/sgml/config.sgml
View File

@ -1,4 +1,4 @@
<!-- $PostgreSQL: pgsql/doc/src/sgml/config.sgml,v 1.153 2007/11/05 17:35:38 momjian Exp $ -->
<!-- $PostgreSQL: pgsql/doc/src/sgml/config.sgml,v 1.154 2007/11/09 17:31:07 mha Exp $ -->
<chapter Id="runtime-config">
<title>Server Configuration</title>
@ -601,6 +601,21 @@ SET ENABLE_SEQSCAN TO OFF;
</listitem>
</varlistentry>
<varlistentry id="guc-krb-realm" xreflabel="krb_realm">
<term><varname>krb_realm</varname> (<type>string</type>)</term>
<indexterm>
<primary><varname>krb_realm</> configuration parameter</primary>
</indexterm>
<listitem>
<para>
Sets the realm to match Kerberos, GSSAPI and SSPI usernames against.
See <xref linkend="kerberos-auth">, <xref linkend="gssapi-auth"> or
<xref linkend="sspi-auth"> for details. This parameter can only be
set at server start.
</para>
</listitem>
</varlistentry>
<varlistentry id="guc-krb-server-keyfile" xreflabel="krb_server_keyfile">
<term><varname>krb_server_keyfile</varname> (<type>string</type>)</term>
<indexterm>