database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-06-13 07:41:39 +03:00
Code Activity

Add support for RADIUS authentication.

Browse Source
This commit is contained in:
Magnus Hagander
2010-01-27 12:12:00 +00:00
parent 000416ac32
commit b3daac5a9c
7 changed files with 532 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

101
doc/src/sgml/client-auth.sgml
View File

@ -1,4 +1,4 @@
<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.127 2010/01/26 06:45:31 petere Exp $ -->
<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.128 2010/01/27 12:11:59 mha Exp $ -->
<chapter id="client-authentication">
<title>Client Authentication</title>
@ -394,6 +394,16 @@ hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>radius</></term>
<listitem>
<para>
Authenticate using a RADIUS server. See <xref
linkend="auth-radius"> for detauls.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>cert</></term>
<listitem>
@ -1331,6 +1341,95 @@ ldapserver=ldap.example.net ldapprefix="cn=" ldapsuffix=", dc=example, dc=net"
</sect2>
<sect2 id="auth-radius">
<title>RADIUS authentication</title>
<indexterm zone="auth-radius">
<primary>RADIUS</primary>
</indexterm>
<para>
This authentication method operates similarly to
<literal>password</literal> except that it uses RADIUS
as the password verification method. RADIUS is used only to validate
the user name/password pairs. Therefore the user must already
exist in the database before RADIUS can be used for
authentication.
</para>
<para>
When using RADIUS authentication, an Access Request message will be sent
to the configured RADIUS server. This request will be of type
<literal>Authenticate Only</literal>, and include parameters for
<literal>user name</>, <literal>password</> (encrypted) and
<literal>NAS Identifier</>. The request will be encrypted using
a secret shared with the server. The RADIUS server will respond to
this server with either <literal>Access Accept</> or
<literal>Access Reject</>. There is no support for RADIUS accounting.
</para>
<para>
The following configuration options are supported for RADIUS:
<variablelist>
<varlistentry>
<term><literal>radiusserver</literal></term>
<listitem>
<para>
The IP address of the RADIUS server to connect to. This must
be an IPV4 address and not a hostname. This parameter is required.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>radiussecret</literal></term>
<listitem>
<para>
The shared secret used when talking securely to the RADIUS
server. This must have exactly the same value on the PostgreSQL
and RADIUS servers. It is recommended that this is a string of
at least 16 characters. This parameter is required.
<note>
<para>
The encryption vector used will only be cryptographically
strong if <productname>PostgreSQL</> is built with support for
<productname>OpenSSL</>. In other cases, the transmission to the
RADIUS server should only be considered obfuscated, not secured, and
external security measures should be applied if necessary.
</para>
</note>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>radiusport</literal></term>
<listitem>
<para>
The port number on the RADIUS server to connect to. If no port
is specified, the default port <literal>1812</> will be used.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>radiusidentifier</literal></term>
<listitem>
<para>
The string used as <literal>NAS Identifier</> in the RADIUS
requests. This parameter can be used as a second parameter
identifying for example which database the user is attempting
to authenticate as, which can be used for policy matching on
the RADIUS server. If no identifier is specified, the default
<literal>postgresql</> will be used.
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</sect2>
<sect2 id="auth-cert">
<title>Certificate authentication</title>