mirror of
				https://github.com/postgres/postgres.git
				synced 2025-10-25 13:17:41 +03:00 
			
		
		
		
	The grammar was a little shaky and confusing here, so word-smith it a bit. Also, adjust the comments in pg_ident.conf.sample to use the same terminology as the SGML docs, in particular "DATABASE-USERNAME" not "PG-USERNAME". Back-patch appropriate subsets. I did not risk changing pg_ident.conf.sample in released branches, but it still seems OK to change it in v18. Reported-by: Alexey Shishkin <alexey.shishkin@enterprisedb.com> Author: Tom Lane <tgl@sss.pgh.pa.us> Reviewed-by: David G. Johnston <david.g.johnston@gmail.com> Discussion: https://postgr.es/m/175206279327.3157504.12519088928605422253@wrigleys.postgresql.org Backpatch-through: 13
		
			
				
	
	
		
			2641 lines
		
	
	
		
			108 KiB
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
			
		
		
	
	
			2641 lines
		
	
	
		
			108 KiB
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
| <!-- doc/src/sgml/client-auth.sgml -->
 | |
| 
 | |
| <chapter id="client-authentication">
 | |
|  <title>Client Authentication</title>
 | |
| 
 | |
|  <indexterm zone="client-authentication">
 | |
|   <primary>client authentication</primary>
 | |
|  </indexterm>
 | |
| 
 | |
|  <para>
 | |
|   When a client application connects to the database server, it
 | |
|   specifies which <productname>PostgreSQL</productname> database user name it
 | |
|   wants to connect as, much the same way one logs into a Unix computer
 | |
|   as a particular user. Within the SQL environment the active database
 | |
|   user name determines access privileges to database objects — see
 | |
|   <xref linkend="user-manag"/> for more information. Therefore, it is
 | |
|   essential to restrict which database users can connect.
 | |
|  </para>
 | |
| 
 | |
|  <note>
 | |
|   <para>
 | |
|    As explained in <xref linkend="user-manag"/>,
 | |
|    <productname>PostgreSQL</productname> actually does privilege
 | |
|    management in terms of <quote>roles</quote>.  In this chapter, we
 | |
|    consistently use <firstterm>database user</firstterm> to mean <quote>role with the
 | |
|    <literal>LOGIN</literal> privilege</quote>.
 | |
|   </para>
 | |
|  </note>
 | |
| 
 | |
|  <para>
 | |
|   <firstterm>Authentication</firstterm> is the process by which the
 | |
|   database server establishes the identity of the client, and by
 | |
|   extension determines whether the client application (or the user
 | |
|   who runs the client application) is permitted to connect with the
 | |
|   database user name that was requested.
 | |
|  </para>
 | |
| 
 | |
|  <para>
 | |
|   <productname>PostgreSQL</productname> offers a number of different
 | |
|   client authentication methods. The method used to authenticate a
 | |
|   particular client connection can be selected on the basis of
 | |
|   (client) host address, database, and user.
 | |
|  </para>
 | |
| 
 | |
|  <para>
 | |
|   <productname>PostgreSQL</productname> database user names are logically
 | |
|   separate from user names of the operating system in which the server
 | |
|   runs. If all the users of a particular server also have accounts on
 | |
|   the server's machine, it makes sense to assign database user names
 | |
|   that match their operating system user names. However, a server that
 | |
|   accepts remote connections might have many database users who have no local
 | |
|   operating system
 | |
|   account, and in such cases there need be no connection between
 | |
|   database user names and OS user names.
 | |
|  </para>
 | |
| 
 | |
|  <sect1 id="auth-pg-hba-conf">
 | |
|   <title>The <filename>pg_hba.conf</filename> File</title>
 | |
| 
 | |
|   <indexterm zone="auth-pg-hba-conf">
 | |
|    <primary>pg_hba.conf</primary>
 | |
|   </indexterm>
 | |
| 
 | |
|   <para>
 | |
|    Client authentication is controlled by a configuration file,
 | |
|    which traditionally is named
 | |
|    <filename>pg_hba.conf</filename> and is stored in the database
 | |
|    cluster's data directory.
 | |
|    (<acronym>HBA</acronym> stands for host-based authentication.) A default
 | |
|    <filename>pg_hba.conf</filename> file is installed when the data
 | |
|    directory is initialized by <xref linkend="app-initdb"/>.  It is
 | |
|    possible to place the authentication configuration file elsewhere,
 | |
|    however; see the <xref linkend="guc-hba-file"/> configuration parameter.
 | |
|   </para>
 | |
| 
 | |
|   <para>
 | |
|    The <filename>pg_hba.conf</filename> file is read on start-up and when
 | |
|    the main server process receives a
 | |
|    <systemitem>SIGHUP</systemitem><indexterm><primary>SIGHUP</primary></indexterm>
 | |
|    signal. If you edit the file on an
 | |
|    active system, you will need to signal the postmaster
 | |
|    (using <literal>pg_ctl reload</literal>, calling the SQL function
 | |
|    <function>pg_reload_conf()</function>, or using <literal>kill
 | |
|    -HUP</literal>) to make it re-read the file.
 | |
|   </para>
 | |
| 
 | |
|   <note>
 | |
|    <para>
 | |
|     The preceding statement is not true on Microsoft Windows: there, any
 | |
|     changes in the <filename>pg_hba.conf</filename> file are immediately
 | |
|     applied by subsequent new connections.
 | |
|    </para>
 | |
|   </note>
 | |
| 
 | |
|   <para>
 | |
|    The system view
 | |
|    <link linkend="view-pg-hba-file-rules"><structname>pg_hba_file_rules</structname></link>
 | |
|    can be helpful for pre-testing changes to the <filename>pg_hba.conf</filename>
 | |
|    file, or for diagnosing problems if loading of the file did not have the
 | |
|    desired effects.  Rows in the view with
 | |
|    non-null <structfield>error</structfield> fields indicate problems in the
 | |
|    corresponding lines of the file.
 | |
|   </para>
 | |
| 
 | |
|   <para>
 | |
|    The general format of the <filename>pg_hba.conf</filename> file is
 | |
|    a set of records, one per line. Blank lines are ignored, as is any
 | |
|    text after the <literal>#</literal> comment character.
 | |
|    A record can be continued onto the next line by ending the line with
 | |
|    a backslash. (Backslashes are not special except at the end of a line.)
 | |
|    A record is made
 | |
|    up of a number of fields which are separated by spaces and/or tabs.
 | |
|    Fields can contain white space if the field value is double-quoted.
 | |
|    Quoting one of the keywords in a database, user, or address field (e.g.,
 | |
|    <literal>all</literal> or <literal>replication</literal>) makes the word lose its special
 | |
|    meaning, and just match a database, user, or host with that name.
 | |
|    Backslash line continuation applies even within quoted text or comments.
 | |
|   </para>
 | |
| 
 | |
|   <para>
 | |
|    Each authentication record specifies a connection type, a client IP address
 | |
|    range (if relevant for the connection type), a database name, a user name,
 | |
|    and the authentication method to be used for connections matching
 | |
|    these parameters. The first record with a matching connection type,
 | |
|    client address, requested database, and user name is used to perform
 | |
|    authentication. There is no <quote>fall-through</quote> or
 | |
|    <quote>backup</quote>: if one record is chosen and the authentication
 | |
|    fails, subsequent records are not considered. If no record matches,
 | |
|    access is denied.
 | |
|   </para>
 | |
| 
 | |
|   <para>
 | |
|    Each record can be an include directive or an authentication record.
 | |
|    Include directives specify files that can be included, that contain
 | |
|    additional records. The records will be inserted in place of the
 | |
|    include directives. Include directives only contain two fields:
 | |
|    <literal>include</literal>, <literal>include_if_exists</literal> or
 | |
|    <literal>include_dir</literal> directive and the file or directory to be
 | |
|    included. The file or directory can be a relative or absolute path, and can
 | |
|    be double-quoted.  For the <literal>include_dir</literal> form, all files
 | |
|    not starting with a <literal>.</literal> and ending with
 | |
|    <literal>.conf</literal> will be included. Multiple files within an include
 | |
|    directory are processed in file name order (according to C locale rules,
 | |
|    i.e., numbers before letters, and uppercase letters before lowercase ones).
 | |
|   </para>
 | |
| 
 | |
|   <para>
 | |
|    A record can have several formats:
 | |
| <synopsis>
 | |
| local               <replaceable>database</replaceable>  <replaceable>user</replaceable>  <replaceable>auth-method</replaceable> <optional><replaceable>auth-options</replaceable></optional>
 | |
| host                <replaceable>database</replaceable>  <replaceable>user</replaceable>  <replaceable>address</replaceable>     <replaceable>auth-method</replaceable>  <optional><replaceable>auth-options</replaceable></optional>
 | |
| hostssl             <replaceable>database</replaceable>  <replaceable>user</replaceable>  <replaceable>address</replaceable>     <replaceable>auth-method</replaceable>  <optional><replaceable>auth-options</replaceable></optional>
 | |
| hostnossl           <replaceable>database</replaceable>  <replaceable>user</replaceable>  <replaceable>address</replaceable>     <replaceable>auth-method</replaceable>  <optional><replaceable>auth-options</replaceable></optional>
 | |
| hostgssenc          <replaceable>database</replaceable>  <replaceable>user</replaceable>  <replaceable>address</replaceable>     <replaceable>auth-method</replaceable>  <optional><replaceable>auth-options</replaceable></optional>
 | |
| hostnogssenc        <replaceable>database</replaceable>  <replaceable>user</replaceable>  <replaceable>address</replaceable>     <replaceable>auth-method</replaceable>  <optional><replaceable>auth-options</replaceable></optional>
 | |
| host                <replaceable>database</replaceable>  <replaceable>user</replaceable>  <replaceable>IP-address</replaceable>  <replaceable>IP-mask</replaceable>      <replaceable>auth-method</replaceable>  <optional><replaceable>auth-options</replaceable></optional>
 | |
| hostssl             <replaceable>database</replaceable>  <replaceable>user</replaceable>  <replaceable>IP-address</replaceable>  <replaceable>IP-mask</replaceable>      <replaceable>auth-method</replaceable>  <optional><replaceable>auth-options</replaceable></optional>
 | |
| hostnossl           <replaceable>database</replaceable>  <replaceable>user</replaceable>  <replaceable>IP-address</replaceable>  <replaceable>IP-mask</replaceable>      <replaceable>auth-method</replaceable>  <optional><replaceable>auth-options</replaceable></optional>
 | |
| hostgssenc          <replaceable>database</replaceable>  <replaceable>user</replaceable>  <replaceable>IP-address</replaceable>  <replaceable>IP-mask</replaceable>      <replaceable>auth-method</replaceable>  <optional><replaceable>auth-options</replaceable></optional>
 | |
| hostnogssenc        <replaceable>database</replaceable>  <replaceable>user</replaceable>  <replaceable>IP-address</replaceable>  <replaceable>IP-mask</replaceable>      <replaceable>auth-method</replaceable>  <optional><replaceable>auth-options</replaceable></optional>
 | |
| include             <replaceable>file</replaceable>
 | |
| include_if_exists   <replaceable>file</replaceable>
 | |
| include_dir         <replaceable>directory</replaceable>
 | |
| </synopsis>
 | |
|    The meaning of the fields is as follows:
 | |
| 
 | |
|    <variablelist>
 | |
|     <varlistentry>
 | |
|      <term><literal>local</literal></term>
 | |
|      <listitem>
 | |
|       <para>
 | |
|        This record matches connection attempts using Unix-domain
 | |
|        sockets.  Without a record of this type, Unix-domain socket
 | |
|        connections are disallowed.
 | |
|       </para>
 | |
|      </listitem>
 | |
|     </varlistentry>
 | |
| 
 | |
|     <varlistentry>
 | |
|      <term><literal>host</literal></term>
 | |
|      <listitem>
 | |
|       <para>
 | |
|        This record matches connection attempts made using TCP/IP.
 | |
|        <literal>host</literal> records match
 | |
|        <acronym>SSL</acronym> or non-<acronym>SSL</acronym> connection
 | |
|        attempts as well as <acronym>GSSAPI</acronym> encrypted or
 | |
|        non-<acronym>GSSAPI</acronym> encrypted connection attempts.
 | |
|       </para>
 | |
|      <note>
 | |
|       <para>
 | |
|        Remote TCP/IP connections will not be possible unless
 | |
|        the server is started with an appropriate value for the
 | |
|        <xref linkend="guc-listen-addresses"/> configuration parameter,
 | |
|        since the default behavior is to listen for TCP/IP connections
 | |
|        only on the local loopback address <literal>localhost</literal>.
 | |
|       </para>
 | |
|      </note>
 | |
|      </listitem>
 | |
|     </varlistentry>
 | |
| 
 | |
|     <varlistentry>
 | |
|      <term><literal>hostssl</literal></term>
 | |
|      <listitem>
 | |
|       <para>
 | |
|        This record matches connection attempts made using TCP/IP,
 | |
|        but only when the connection is made with <acronym>SSL</acronym>
 | |
|        encryption.
 | |
|       </para>
 | |
| 
 | |
|       <para>
 | |
|        To make use of this option the server must be built with
 | |
|        <acronym>SSL</acronym> support. Furthermore,
 | |
|        <acronym>SSL</acronym> must be enabled
 | |
|        by setting the <xref linkend="guc-ssl"/> configuration parameter (see
 | |
|        <xref linkend="ssl-tcp"/> for more information).
 | |
|        Otherwise, the <literal>hostssl</literal> record is ignored except for
 | |
|        logging a warning that it cannot match any connections.
 | |
|       </para>
 | |
|      </listitem>
 | |
|     </varlistentry>
 | |
| 
 | |
|     <varlistentry>
 | |
|      <term><literal>hostnossl</literal></term>
 | |
|      <listitem>
 | |
|       <para>
 | |
|        This record type has the opposite behavior of <literal>hostssl</literal>;
 | |
|        it only matches connection attempts made over
 | |
|        TCP/IP that do not use <acronym>SSL</acronym>.
 | |
|       </para>
 | |
|      </listitem>
 | |
|     </varlistentry>
 | |
| 
 | |
|     <varlistentry>
 | |
|      <term><literal>hostgssenc</literal></term>
 | |
|      <listitem>
 | |
|       <para>
 | |
|        This record matches connection attempts made using TCP/IP,
 | |
|        but only when the connection is made with <acronym>GSSAPI</acronym>
 | |
|        encryption.
 | |
|       </para>
 | |
| 
 | |
|       <para>
 | |
|        To make use of this option the server must be built with
 | |
|        <acronym>GSSAPI</acronym> support.  Otherwise,
 | |
|        the <literal>hostgssenc</literal> record is ignored except for logging
 | |
|        a warning that it cannot match any connections.
 | |
|       </para>
 | |
|      </listitem>
 | |
|     </varlistentry>
 | |
| 
 | |
|     <varlistentry>
 | |
|      <term><literal>hostnogssenc</literal></term>
 | |
|      <listitem>
 | |
|       <para>
 | |
|        This record type has the opposite behavior of <literal>hostgssenc</literal>;
 | |
|        it only matches connection attempts made over
 | |
|        TCP/IP that do not use <acronym>GSSAPI</acronym> encryption.
 | |
|       </para>
 | |
|      </listitem>
 | |
|     </varlistentry>
 | |
| 
 | |
|     <varlistentry>
 | |
|      <term><replaceable>database</replaceable></term>
 | |
|      <listitem>
 | |
|       <para>
 | |
|        Specifies which database name(s) this record matches.  The value
 | |
|        <literal>all</literal> specifies that it matches all databases.
 | |
|        The value <literal>sameuser</literal> specifies that the record
 | |
|        matches if the requested database has the same name as the
 | |
|        requested user.  The value <literal>samerole</literal> specifies that
 | |
|        the requested user must be a member of the role with the same
 | |
|        name as the requested database.  (<literal>samegroup</literal> is an
 | |
|        obsolete but still accepted spelling of <literal>samerole</literal>.)
 | |
|        Superusers are not considered to be members of a role for the
 | |
|        purposes of <literal>samerole</literal> unless they are explicitly
 | |
|        members of the role, directly or indirectly, and not just by
 | |
|        virtue of being a superuser.
 | |
|        The value <literal>replication</literal> specifies that the record
 | |
|        matches if a physical replication connection is requested, however, it
 | |
|        doesn't match with logical replication connections. Note that physical
 | |
|        replication connections do not specify any particular database whereas
 | |
|        logical replication connections do specify it.
 | |
|        Otherwise, this is the name of a specific
 | |
|        <productname>PostgreSQL</productname> database or a regular expression.
 | |
|        Multiple database names and/or regular expressions can be supplied by
 | |
|        separating them with commas.
 | |
|       </para>
 | |
|       <para>
 | |
|        If the database name starts with a slash (<literal>/</literal>), the
 | |
|        remainder of the name is treated as a regular expression.
 | |
|        (See <xref linkend="posix-syntax-details"/> for details of
 | |
|        <productname>PostgreSQL</productname>'s regular expression syntax.)
 | |
|       </para>
 | |
|       <para>
 | |
|        A separate file containing database names and/or regular expressions
 | |
|        can be specified by preceding the file name with <literal>@</literal>.
 | |
|       </para>
 | |
|      </listitem>
 | |
|     </varlistentry>
 | |
| 
 | |
|     <varlistentry>
 | |
|      <term><replaceable>user</replaceable></term>
 | |
|      <listitem>
 | |
|       <para>
 | |
|        Specifies which database user name(s) this record
 | |
|        matches. The value <literal>all</literal> specifies that it
 | |
|        matches all users.  Otherwise, this is either the name of a specific
 | |
|        database user, a regular expression (when starting with a slash
 | |
|        (<literal>/</literal>), or a group name preceded by <literal>+</literal>.
 | |
|        (Recall that there is no real distinction between users and groups
 | |
|        in <productname>PostgreSQL</productname>; a <literal>+</literal> mark really means
 | |
|        <quote>match any of the roles that are directly or indirectly members
 | |
|        of this role</quote>, while a name without a <literal>+</literal> mark matches
 | |
|        only that specific role.) For this purpose, a superuser is only
 | |
|        considered to be a member of a role if they are explicitly a member
 | |
|        of the role, directly or indirectly, and not just by virtue of
 | |
|        being a superuser.
 | |
|        Multiple user names and/or regular expressions can be supplied by
 | |
|        separating them with commas.
 | |
|       </para>
 | |
|       <para>
 | |
|        If the user name starts with a slash (<literal>/</literal>), the
 | |
|        remainder of the name is treated as a regular expression.
 | |
|        (See <xref linkend="posix-syntax-details"/> for details of
 | |
|        <productname>PostgreSQL</productname>'s regular expression syntax.)
 | |
|       </para>
 | |
|       <para>
 | |
|        A separate file containing user names and/or regular expressions can
 | |
|        be specified by preceding the file name with <literal>@</literal>.
 | |
|       </para>
 | |
|      </listitem>
 | |
|     </varlistentry>
 | |
| 
 | |
|     <varlistentry>
 | |
|      <term><replaceable>address</replaceable></term>
 | |
|      <listitem>
 | |
|       <para>
 | |
|        Specifies the client machine address(es) that this record
 | |
|        matches.  This field can contain either a host name, an IP
 | |
|        address range, or one of the special key words mentioned below.
 | |
|       </para>
 | |
| 
 | |
|       <para>
 | |
|        An IP address range is specified using standard numeric notation
 | |
|        for the range's starting address, then a slash (<literal>/</literal>)
 | |
|        and a <acronym>CIDR</acronym> mask length.  The mask
 | |
|        length indicates the number of high-order bits of the client
 | |
|        IP address that must match.  Bits to the right of this should
 | |
|        be zero in the given IP address.
 | |
|        There must not be any white space between the IP address, the
 | |
|        <literal>/</literal>, and the CIDR mask length.
 | |
|       </para>
 | |
| 
 | |
|       <para>
 | |
|        Typical examples of an IPv4 address range specified this way are
 | |
|        <literal>172.20.143.89/32</literal> for a single host, or
 | |
|        <literal>172.20.143.0/24</literal> for a small network, or
 | |
|        <literal>10.6.0.0/16</literal> for a larger one.
 | |
|        An IPv6 address range might look like <literal>::1/128</literal>
 | |
|        for a single host (in this case the IPv6 loopback address) or
 | |
|        <literal>fe80::7a31:c1ff:0000:0000/96</literal> for a small
 | |
|        network.
 | |
|        <literal>0.0.0.0/0</literal> represents all
 | |
|        IPv4 addresses, and <literal>::0/0</literal> represents
 | |
|        all IPv6 addresses.
 | |
|        To specify a single host, use a mask length of 32 for IPv4 or
 | |
|        128 for IPv6.  In a network address, do not omit trailing zeroes.
 | |
|       </para>
 | |
| 
 | |
|       <para>
 | |
|        An entry given in IPv4 format will match only IPv4 connections,
 | |
|        and an entry given in IPv6 format will match only IPv6 connections,
 | |
|        even if the represented address is in the IPv4-in-IPv6 range.
 | |
|       </para>
 | |
| 
 | |
|       <para>
 | |
|        You can also write <literal>all</literal> to match any IP address,
 | |
|        <literal>samehost</literal> to match any of the server's own IP
 | |
|        addresses, or <literal>samenet</literal> to match any address in any
 | |
|        subnet that the server is directly connected to.
 | |
|       </para>
 | |
| 
 | |
|       <para>
 | |
|        If a host name is specified (anything that is not an IP address
 | |
|        range or a special key word is treated as a host name),
 | |
|        that name is compared with the result of a reverse name
 | |
|        resolution of the client's IP address (e.g., reverse DNS
 | |
|        lookup, if DNS is used).  Host name comparisons are case
 | |
|        insensitive.  If there is a match, then a forward name
 | |
|        resolution (e.g., forward DNS lookup) is performed on the host
 | |
|        name to check whether any of the addresses it resolves to are
 | |
|        equal to the client's IP address.  If both directions match,
 | |
|        then the entry is considered to match.  (The host name that is
 | |
|        used in <filename>pg_hba.conf</filename> should be the one that
 | |
|        address-to-name resolution of the client's IP address returns,
 | |
|        otherwise the line won't be matched.  Some host name databases
 | |
|        allow associating an IP address with multiple host names, but
 | |
|        the operating system will only return one host name when asked
 | |
|        to resolve an IP address.)
 | |
|       </para>
 | |
| 
 | |
|       <para>
 | |
|        A host name specification that starts with a dot
 | |
|        (<literal>.</literal>) matches a suffix of the actual host
 | |
|        name.  So <literal>.example.com</literal> would match
 | |
|        <literal>foo.example.com</literal> (but not just
 | |
|        <literal>example.com</literal>).
 | |
|       </para>
 | |
| 
 | |
|       <para>
 | |
|        When host names are specified
 | |
|        in <filename>pg_hba.conf</filename>, you should make sure that
 | |
|        name resolution is reasonably fast.  It can be of advantage to
 | |
|        set up a local name resolution cache such
 | |
|        as <command>nscd</command>.  Also, you may wish to enable the
 | |
|        configuration parameter <varname>log_hostname</varname> to see
 | |
|        the client's host name instead of the IP address in the log.
 | |
|       </para>
 | |
| 
 | |
|       <para>
 | |
|        These fields do not apply to <literal>local</literal> records.
 | |
|       </para>
 | |
| 
 | |
|       <note>
 | |
|        <para>
 | |
|         Users sometimes wonder why host names are handled
 | |
|         in this seemingly complicated way, with two name resolutions
 | |
|         including a reverse lookup of the client's IP address.  This
 | |
|         complicates use of the feature in case the client's reverse DNS
 | |
|         entry is not set up or yields some undesirable host name.
 | |
|         It is done primarily for efficiency: this way, a connection attempt
 | |
|         requires at most two resolver lookups, one reverse and one forward.
 | |
|         If there is a resolver problem with some address, it becomes only
 | |
|         that client's problem.  A hypothetical alternative
 | |
|         implementation that only did forward lookups would have to
 | |
|         resolve every host name mentioned in
 | |
|         <filename>pg_hba.conf</filename> during every connection attempt.
 | |
|         That could be quite slow if many names are listed.
 | |
|         And if there is a resolver problem with one of the host names,
 | |
|         it becomes everyone's problem.
 | |
|        </para>
 | |
| 
 | |
|        <para>
 | |
|         Also, a reverse lookup is necessary to implement the suffix
 | |
|         matching feature, because the actual client host name needs to
 | |
|         be known in order to match it against the pattern.
 | |
|        </para>
 | |
| 
 | |
|        <para>
 | |
|         Note that this behavior is consistent with other popular
 | |
|         implementations of host name-based access control, such as the
 | |
|         Apache HTTP Server and TCP Wrappers.
 | |
|        </para>
 | |
|       </note>
 | |
|      </listitem>
 | |
|     </varlistentry>
 | |
| 
 | |
|     <varlistentry>
 | |
|      <term><replaceable>IP-address</replaceable></term>
 | |
|      <term><replaceable>IP-mask</replaceable></term>
 | |
|      <listitem>
 | |
|       <para>
 | |
|        These two fields can be used as an alternative to the
 | |
|        <replaceable>IP-address</replaceable><literal>/</literal><replaceable>mask-length</replaceable>
 | |
|        notation.  Instead of
 | |
|        specifying the mask length, the actual mask is specified in a
 | |
|        separate column. For example, <literal>255.0.0.0</literal> represents an IPv4
 | |
|        CIDR mask length of 8, and <literal>255.255.255.255</literal> represents a
 | |
|        CIDR mask length of 32.
 | |
|       </para>
 | |
| 
 | |
|       <para>
 | |
|        These fields do not apply to <literal>local</literal> records.
 | |
|       </para>
 | |
|      </listitem>
 | |
|     </varlistentry>
 | |
| 
 | |
|     <varlistentry>
 | |
|      <term><replaceable>auth-method</replaceable></term>
 | |
|      <listitem>
 | |
|       <para>
 | |
|        Specifies the authentication method to use when a connection matches
 | |
|        this record. The possible choices are summarized here; details
 | |
|        are in <xref linkend="auth-methods"/>.  All the options
 | |
|        are lower case and treated case sensitively, so even acronyms like
 | |
|        <literal>ldap</literal> must be specified as lower case.
 | |
| 
 | |
|        <variablelist>
 | |
|         <varlistentry>
 | |
|          <term><literal>trust</literal></term>
 | |
|          <listitem>
 | |
|          <para>
 | |
|           Allow the connection unconditionally. This method
 | |
|           allows anyone that can connect to the
 | |
|           <productname>PostgreSQL</productname> database server to login as
 | |
|           any <productname>PostgreSQL</productname> user they wish,
 | |
|           without the need for a password or any other authentication.  See <xref
 | |
|           linkend="auth-trust"/> for details.
 | |
|          </para>
 | |
|         </listitem>
 | |
|        </varlistentry>
 | |
| 
 | |
|        <varlistentry>
 | |
|         <term><literal>reject</literal></term>
 | |
|         <listitem>
 | |
|          <para>
 | |
|           Reject the connection unconditionally. This is useful for
 | |
|           <quote>filtering out</quote> certain hosts from a group, for example a
 | |
|           <literal>reject</literal> line could block a specific host from connecting,
 | |
|           while a later line allows the remaining hosts in a specific
 | |
|           network to connect.
 | |
|          </para>
 | |
|         </listitem>
 | |
|        </varlistentry>
 | |
| 
 | |
|        <varlistentry>
 | |
|         <term><literal>scram-sha-256</literal></term>
 | |
|         <listitem>
 | |
|          <para>
 | |
|           Perform SCRAM-SHA-256 authentication to verify the user's
 | |
|           password. See <xref linkend="auth-password"/> for details.
 | |
|          </para>
 | |
|         </listitem>
 | |
|        </varlistentry>
 | |
| 
 | |
|        <varlistentry>
 | |
|         <term><literal>md5</literal></term>
 | |
|         <listitem>
 | |
|          <para>
 | |
|           Perform SCRAM-SHA-256 or MD5 authentication to verify the
 | |
|           user's password. See <xref linkend="auth-password"/>
 | |
|           for details.
 | |
|          </para>
 | |
|          <warning>
 | |
|           <para>
 | |
|            Support for MD5-encrypted passwords is deprecated and will be
 | |
|            removed in a future release of
 | |
|            <productname>PostgreSQL</productname>.  Refer to
 | |
|            <xref linkend="auth-password"/> for details about migrating to
 | |
|            another password type.
 | |
|           </para>
 | |
|          </warning>
 | |
|         </listitem>
 | |
|        </varlistentry>
 | |
| 
 | |
|        <varlistentry>
 | |
|         <term><literal>password</literal></term>
 | |
|         <listitem>
 | |
|          <para>
 | |
|           Require the client to supply an unencrypted password for
 | |
|           authentication.
 | |
|           Since the password is sent in clear text over the
 | |
|           network, this should not be used on untrusted networks.
 | |
|           See <xref linkend="auth-password"/> for details.
 | |
|          </para>
 | |
|         </listitem>
 | |
|        </varlistentry>
 | |
| 
 | |
|        <varlistentry>
 | |
|         <term><literal>gss</literal></term>
 | |
|         <listitem>
 | |
|          <para>
 | |
|           Use GSSAPI to authenticate the user. This is only
 | |
|           available for TCP/IP connections. See <xref
 | |
|           linkend="gssapi-auth"/> for details.  It can be used in conjunction
 | |
|           with GSSAPI encryption.
 | |
|          </para>
 | |
|         </listitem>
 | |
|        </varlistentry>
 | |
| 
 | |
|        <varlistentry>
 | |
|         <term><literal>sspi</literal></term>
 | |
|         <listitem>
 | |
|          <para>
 | |
|           Use SSPI to authenticate the user. This is only
 | |
|           available on Windows. See <xref
 | |
|           linkend="sspi-auth"/> for details.
 | |
|          </para>
 | |
|         </listitem>
 | |
|        </varlistentry>
 | |
| 
 | |
|        <varlistentry>
 | |
|         <term><literal>ident</literal></term>
 | |
|         <listitem>
 | |
|          <para>
 | |
|           Obtain the operating system user name of the client
 | |
|           by contacting the ident server on the client
 | |
|           and check if it matches the requested database user name.
 | |
|           Ident authentication can only be used on TCP/IP
 | |
|           connections. When specified for local connections, peer
 | |
|           authentication will be used instead.
 | |
|           See <xref linkend="auth-ident"/> for details.
 | |
|          </para>
 | |
|         </listitem>
 | |
|        </varlistentry>
 | |
| 
 | |
|        <varlistentry>
 | |
|         <term><literal>peer</literal></term>
 | |
|         <listitem>
 | |
|          <para>
 | |
|           Obtain the client's operating system user name from the operating
 | |
|           system and check if it matches the requested database user name.
 | |
|           This is only available for local connections.
 | |
|           See <xref linkend="auth-peer"/> for details.
 | |
|          </para>
 | |
|         </listitem>
 | |
|        </varlistentry>
 | |
| 
 | |
|        <varlistentry>
 | |
|         <term><literal>ldap</literal></term>
 | |
|         <listitem>
 | |
|          <para>
 | |
|           Authenticate using an <acronym>LDAP</acronym> server. See <xref
 | |
|           linkend="auth-ldap"/> for details.
 | |
|          </para>
 | |
|         </listitem>
 | |
|        </varlistentry>
 | |
| 
 | |
|        <varlistentry>
 | |
|         <term><literal>radius</literal></term>
 | |
|         <listitem>
 | |
|          <para>
 | |
|           Authenticate using a RADIUS server. See <xref
 | |
|           linkend="auth-radius"/> for details.
 | |
|          </para>
 | |
|         </listitem>
 | |
|        </varlistentry>
 | |
| 
 | |
|        <varlistentry>
 | |
|         <term><literal>cert</literal></term>
 | |
|         <listitem>
 | |
|          <para>
 | |
|           Authenticate using SSL client certificates. See
 | |
|           <xref linkend="auth-cert"/> for details.
 | |
|          </para>
 | |
|         </listitem>
 | |
|        </varlistentry>
 | |
| 
 | |
|        <varlistentry>
 | |
|         <term><literal>pam</literal></term>
 | |
|         <listitem>
 | |
|          <para>
 | |
|           Authenticate using the Pluggable Authentication Modules
 | |
|           (PAM) service provided by the operating system.  See <xref
 | |
|           linkend="auth-pam"/> for details.
 | |
|          </para>
 | |
|         </listitem>
 | |
|        </varlistentry>
 | |
| 
 | |
|        <varlistentry>
 | |
|         <term><literal>bsd</literal></term>
 | |
|         <listitem>
 | |
|          <para>
 | |
|           Authenticate using the BSD Authentication service provided by the
 | |
|           operating system. See <xref linkend="auth-bsd"/> for details.
 | |
|          </para>
 | |
|         </listitem>
 | |
|        </varlistentry>
 | |
| 
 | |
|        <varlistentry>
 | |
|         <term><literal>oauth</literal></term>
 | |
|         <listitem>
 | |
|          <para>
 | |
|           Authorize and optionally authenticate using a third-party OAuth 2.0
 | |
|           identity provider. See <xref linkend="auth-oauth"/> for details.
 | |
|          </para>
 | |
|         </listitem>
 | |
|        </varlistentry>
 | |
|       </variablelist>
 | |
| 
 | |
|       </para>
 | |
|      </listitem>
 | |
|     </varlistentry>
 | |
| 
 | |
|     <varlistentry>
 | |
|      <term><replaceable>auth-options</replaceable></term>
 | |
|      <listitem>
 | |
|       <para>
 | |
|        After the <replaceable>auth-method</replaceable> field, there can be field(s) of
 | |
|        the form <replaceable>name</replaceable><literal>=</literal><replaceable>value</replaceable> that
 | |
|        specify options for the authentication method. Details about which
 | |
|        options are available for which authentication methods appear below.
 | |
|       </para>
 | |
| 
 | |
|       <para>
 | |
|        In addition to the method-specific options listed below, there is a
 | |
|        method-independent authentication option <literal>clientcert</literal>, which
 | |
|        can be specified in any <literal>hostssl</literal> record.
 | |
|        This option can be set to <literal>verify-ca</literal> or
 | |
|        <literal>verify-full</literal>. Both options require the client
 | |
|        to present a valid (trusted) SSL certificate, while
 | |
|        <literal>verify-full</literal> additionally enforces that the
 | |
|        <literal>cn</literal> (Common Name) in the certificate matches
 | |
|        the username or an applicable mapping.
 | |
|        This behavior is similar to the <literal>cert</literal> authentication
 | |
|        method (see <xref linkend="auth-cert"/>) but enables pairing
 | |
|        the verification of client certificates with any authentication
 | |
|        method that supports <literal>hostssl</literal> entries.
 | |
|       </para>
 | |
|       <para>
 | |
|        On any record using client certificate authentication (i.e. one
 | |
|        using the <literal>cert</literal> authentication method or one
 | |
|        using the <literal>clientcert</literal> option), you can specify
 | |
|        which part of the client certificate credentials to match using
 | |
|        the <literal>clientname</literal> option. This option can have one
 | |
|        of two values. If you specify <literal>clientname=CN</literal>, which
 | |
|        is the default, the username is matched against the certificate's
 | |
|        <literal>Common Name (CN)</literal>. If instead you specify
 | |
|        <literal>clientname=DN</literal> the username is matched against the
 | |
|        entire <literal>Distinguished Name (DN)</literal> of the certificate.
 | |
|        This option is probably best used in conjunction with a username map.
 | |
|        The comparison is done with the <literal>DN</literal> in
 | |
|        <ulink url="https://datatracker.ietf.org/doc/html/rfc2253">RFC 2253</ulink>
 | |
|        format. To see the <literal>DN</literal> of a client certificate
 | |
|        in this format, do
 | |
| <programlisting>
 | |
| openssl x509 -in myclient.crt -noout -subject -nameopt RFC2253 | sed "s/^subject=//"
 | |
| </programlisting>
 | |
|         Care needs to be taken when using this option, especially when using
 | |
|         regular expression matching against the <literal>DN</literal>.
 | |
|       </para>
 | |
|      </listitem>
 | |
|     </varlistentry>
 | |
| 
 | |
|     <varlistentry>
 | |
|      <term><literal>include</literal></term>
 | |
|      <listitem>
 | |
|       <para>
 | |
|        This line will be replaced by the contents of the given file.
 | |
|       </para>
 | |
|      </listitem>
 | |
|     </varlistentry>
 | |
| 
 | |
|     <varlistentry>
 | |
|      <term><literal>include_if_exists</literal></term>
 | |
|      <listitem>
 | |
|       <para>
 | |
|        This line will be replaced by the content of the given file if the
 | |
|        file exists. Otherwise, a message is logged to indicate that the file
 | |
|        has been skipped.
 | |
|       </para>
 | |
|      </listitem>
 | |
|     </varlistentry>
 | |
| 
 | |
|     <varlistentry>
 | |
|      <term><literal>include_dir</literal></term>
 | |
|      <listitem>
 | |
|       <para>
 | |
|        This line will be replaced by the contents of all the files found in
 | |
|        the directory, if they don't start with a <literal>.</literal> and end
 | |
|        with <literal>.conf</literal>, processed in file name order (according
 | |
|        to C locale rules, i.e., numbers before letters, and uppercase letters
 | |
|        before lowercase ones).
 | |
|       </para>
 | |
|      </listitem>
 | |
|     </varlistentry>
 | |
|    </variablelist>
 | |
|   </para>
 | |
| 
 | |
|   <para>
 | |
|    Files included by <literal>@</literal> constructs are read as lists of names,
 | |
|    which can be separated by either whitespace or commas.  Comments are
 | |
|    introduced by <literal>#</literal>, just as in
 | |
|    <filename>pg_hba.conf</filename>, and nested <literal>@</literal> constructs are
 | |
|    allowed.  Unless the file name following <literal>@</literal> is an absolute
 | |
|    path, it is taken to be relative to the directory containing the
 | |
|    referencing file.
 | |
|   </para>
 | |
| 
 | |
|   <para>
 | |
|    Since the <filename>pg_hba.conf</filename> records are examined
 | |
|    sequentially for each connection attempt, the order of the records is
 | |
|    significant. Typically, earlier records will have tight connection
 | |
|    match parameters and weaker authentication methods, while later
 | |
|    records will have looser match parameters and stronger authentication
 | |
|    methods. For example, one might wish to use <literal>trust</literal>
 | |
|    authentication for local TCP/IP connections but require a password for
 | |
|    remote TCP/IP connections. In this case a record specifying
 | |
|    <literal>trust</literal> authentication for connections from 127.0.0.1 would
 | |
|    appear before a record specifying password authentication for a wider
 | |
|    range of allowed client IP addresses.
 | |
|   </para>
 | |
| 
 | |
|   <tip>
 | |
|    <para>
 | |
|     To connect to a particular database, a user must not only pass the
 | |
|     <filename>pg_hba.conf</filename> checks, but must have the
 | |
|     <literal>CONNECT</literal> privilege for the database.  If you wish to
 | |
|     restrict which users can connect to which databases, it's usually
 | |
|     easier to control this by granting/revoking <literal>CONNECT</literal> privilege
 | |
|     than to put the rules in <filename>pg_hba.conf</filename> entries.
 | |
|    </para>
 | |
|   </tip>
 | |
| 
 | |
|   <para>
 | |
|    Some examples of <filename>pg_hba.conf</filename> entries are shown in
 | |
|    <xref linkend="example-pg-hba.conf"/>. See the next section for details on the
 | |
|    different authentication methods.
 | |
|   </para>
 | |
| 
 | |
|    <example id="example-pg-hba.conf">
 | |
|     <title>Example <filename>pg_hba.conf</filename> Entries</title>
 | |
| <programlisting>
 | |
| # Allow any user on the local system to connect to any database with
 | |
| # any database user name using Unix-domain sockets (the default for local
 | |
| # connections).
 | |
| #
 | |
| # TYPE  DATABASE        USER            ADDRESS                 METHOD
 | |
| local   all             all                                     trust
 | |
| 
 | |
| # The same using local loopback TCP/IP connections.
 | |
| #
 | |
| # TYPE  DATABASE        USER            ADDRESS                 METHOD
 | |
| host    all             all             127.0.0.1/32            trust
 | |
| 
 | |
| # The same as the previous line, but using a separate netmask column
 | |
| #
 | |
| # TYPE  DATABASE        USER            IP-ADDRESS      IP-MASK             METHOD
 | |
| host    all             all             127.0.0.1       255.255.255.255     trust
 | |
| 
 | |
| # The same over IPv6.
 | |
| #
 | |
| # TYPE  DATABASE        USER            ADDRESS                 METHOD
 | |
| host    all             all             ::1/128                 trust
 | |
| 
 | |
| # The same using a host name (would typically cover both IPv4 and IPv6).
 | |
| #
 | |
| # TYPE  DATABASE        USER            ADDRESS                 METHOD
 | |
| host    all             all             localhost               trust
 | |
| 
 | |
| # The same using a regular expression for DATABASE, that allows connection
 | |
| # to any databases with a name beginning with "db" and finishing with a
 | |
| # number using two to four digits (like "db1234" or "db12").
 | |
| #
 | |
| # TYPE  DATABASE        USER            ADDRESS                 METHOD
 | |
| host    "/^db\d{2,4}$"  all             localhost               trust
 | |
| 
 | |
| # Allow any user from any host with IP address 192.168.93.x to connect
 | |
| # to database "postgres" as the same user name that ident reports for
 | |
| # the connection (typically the operating system user name).
 | |
| #
 | |
| # TYPE  DATABASE        USER            ADDRESS                 METHOD
 | |
| host    postgres        all             192.168.93.0/24         ident
 | |
| 
 | |
| # Allow any user from host 192.168.12.10 to connect to database
 | |
| # "postgres" if the user's password is correctly supplied.
 | |
| #
 | |
| # TYPE  DATABASE        USER            ADDRESS                 METHOD
 | |
| host    postgres        all             192.168.12.10/32        scram-sha-256
 | |
| 
 | |
| # Allow any user from hosts in the example.com domain to connect to
 | |
| # any database if the user's password is correctly supplied.
 | |
| #
 | |
| # Require SCRAM authentication for most users, but make an exception
 | |
| # for user 'mike', who uses an older client that doesn't support SCRAM
 | |
| # authentication.
 | |
| #
 | |
| # TYPE  DATABASE        USER            ADDRESS                 METHOD
 | |
| host    all             mike            .example.com            md5
 | |
| host    all             all             .example.com            scram-sha-256
 | |
| 
 | |
| # In the absence of preceding "host" lines, these three lines will
 | |
| # reject all connections from 192.168.54.1 (since that entry will be
 | |
| # matched first), but allow GSSAPI-encrypted connections from anywhere else
 | |
| # on the Internet.  The zero mask causes no bits of the host IP address to
 | |
| # be considered, so it matches any host.  Unencrypted GSSAPI connections
 | |
| # (which "fall through" to the third line since "hostgssenc" only matches
 | |
| # encrypted GSSAPI connections) are allowed, but only from 192.168.12.10.
 | |
| #
 | |
| # TYPE  DATABASE        USER            ADDRESS                 METHOD
 | |
| host    all             all             192.168.54.1/32         reject
 | |
| hostgssenc all          all             0.0.0.0/0               gss
 | |
| host    all             all             192.168.12.10/32        gss
 | |
| 
 | |
| # Allow users from 192.168.x.x hosts to connect to any database, if
 | |
| # they pass the ident check.  If, for example, ident says the user is
 | |
| # "bryanh" and he requests to connect as PostgreSQL user "guest1", the
 | |
| # connection is allowed if there is an entry in pg_ident.conf for map
 | |
| # "omicron" that says "bryanh" is allowed to connect as "guest1".
 | |
| #
 | |
| # TYPE  DATABASE        USER            ADDRESS                 METHOD
 | |
| host    all             all             192.168.0.0/16          ident map=omicron
 | |
| 
 | |
| # If these are the only four lines for local connections, they will
 | |
| # allow local users to connect only to their own databases (databases
 | |
| # with the same name as their database user name) except for users whose
 | |
| # name end with "helpdesk", administrators and members of role "support",
 | |
| # who can connect to all databases.  The file $PGDATA/admins contains a
 | |
| # list of names of administrators.  Passwords are required in all cases.
 | |
| #
 | |
| # TYPE  DATABASE        USER            ADDRESS                 METHOD
 | |
| local   sameuser        all                                     md5
 | |
| local   all             /^.*helpdesk$                           md5
 | |
| local   all             @admins                                 md5
 | |
| local   all             +support                                md5
 | |
| 
 | |
| # The last two lines above can be combined into a single line:
 | |
| local   all             @admins,+support                        md5
 | |
| 
 | |
| # The database column can also use lists and file names:
 | |
| local   db1,db2,@demodbs  all                                   md5
 | |
| </programlisting>
 | |
|    </example>
 | |
|  </sect1>
 | |
| 
 | |
|  <sect1 id="auth-username-maps">
 | |
|   <title>User Name Maps</title>
 | |
| 
 | |
|   <indexterm zone="auth-username-maps">
 | |
|    <primary>User name maps</primary>
 | |
|   </indexterm>
 | |
| 
 | |
|   <para>
 | |
|    When using an external authentication system such as Ident or GSSAPI,
 | |
|    the name of the operating system user that initiated the connection
 | |
|    might not be the same as the database user (role) that is to be used.
 | |
|    In this case, a user name map can be applied to map the operating system
 | |
|    user name to a database user.  To use user name mapping, specify
 | |
|    <literal>map</literal>=<replaceable>map-name</replaceable>
 | |
|    in the options field in <filename>pg_hba.conf</filename>. This option is
 | |
|    supported for all authentication methods that receive external user names.
 | |
|    Since different mappings might be needed for different connections,
 | |
|    the name of the map to be used is specified in the
 | |
|    <replaceable>map-name</replaceable> parameter in <filename>pg_hba.conf</filename>
 | |
|    to indicate which map to use for each individual connection.
 | |
|   </para>
 | |
| 
 | |
|   <para>
 | |
|    User name maps are defined in the ident map file, which by default is named
 | |
|    <filename>pg_ident.conf</filename><indexterm><primary>pg_ident.conf</primary></indexterm>
 | |
|    and is stored in the
 | |
|    cluster's data directory.  (It is possible to place the map file
 | |
|    elsewhere, however; see the <xref linkend="guc-ident-file"/>
 | |
|    configuration parameter.)
 | |
|    The ident map file contains lines of the general forms:
 | |
| <synopsis>
 | |
| <replaceable>map-name</replaceable> <replaceable>system-username</replaceable> <replaceable>database-username</replaceable>
 | |
| <replaceable>include</replaceable> <replaceable>file</replaceable>
 | |
| <replaceable>include_if_exists</replaceable> <replaceable>file</replaceable>
 | |
| <replaceable>include_dir</replaceable> <replaceable>directory</replaceable>
 | |
| </synopsis>
 | |
|    Comments, whitespace and line continuations are handled in the same way as in
 | |
|    <filename>pg_hba.conf</filename>.  The
 | |
|    <replaceable>map-name</replaceable> is an arbitrary name that will be used to
 | |
|    refer to this mapping in <filename>pg_hba.conf</filename>. The other
 | |
|    two fields specify an operating system user name and a matching
 | |
|    database user name. The same <replaceable>map-name</replaceable> can be
 | |
|    used repeatedly to specify multiple user-mappings within a single map.
 | |
|   </para>
 | |
|   <para>
 | |
|    As for <filename>pg_hba.conf</filename>, the lines in this file can
 | |
|    be include directives, following the same rules.
 | |
|   </para>
 | |
| 
 | |
|   <para>
 | |
|    The <filename>pg_ident.conf</filename> file is read on start-up and
 | |
|    when the main server process receives a
 | |
|    <systemitem>SIGHUP</systemitem><indexterm><primary>SIGHUP</primary></indexterm>
 | |
|    signal. If you edit the file on an
 | |
|    active system, you will need to signal the postmaster
 | |
|    (using <literal>pg_ctl reload</literal>, calling the SQL function
 | |
|    <function>pg_reload_conf()</function>, or using <literal>kill
 | |
|    -HUP</literal>) to make it re-read the file.
 | |
|   </para>
 | |
| 
 | |
|   <para>
 | |
|    The system view
 | |
|    <link linkend="view-pg-ident-file-mappings"><structname>pg_ident_file_mappings</structname></link>
 | |
|    can be helpful for pre-testing changes to the
 | |
|    <filename>pg_ident.conf</filename> file, or for diagnosing problems if
 | |
|    loading of the file did not have the desired effects.  Rows in the view with
 | |
|    non-null <structfield>error</structfield> fields indicate problems in the
 | |
|    corresponding lines of the file.
 | |
|   </para>
 | |
| 
 | |
|   <para>
 | |
|    There is no restriction regarding how many database users a given
 | |
|    operating system user can correspond to, nor vice versa.  Thus, entries
 | |
|    in a map should be thought of as meaning <quote>this operating system
 | |
|    user is allowed to connect as this database user</quote>, rather than
 | |
|    implying that they are equivalent.  The connection will be allowed if
 | |
|    there is any map entry that pairs the user name obtained from the
 | |
|    external authentication system with the database user name that the
 | |
|    user has requested to connect as. The value <literal>all</literal>
 | |
|    can be used as the <replaceable>database-username</replaceable> to specify
 | |
|    that if the <replaceable>system-username</replaceable> matches, then this
 | |
|    user is allowed to log in as any of the existing database users. Quoting
 | |
|    <literal>all</literal> makes the keyword lose its special meaning.
 | |
|   </para>
 | |
|   <para>
 | |
|    If the <replaceable>database-username</replaceable> begins with a
 | |
|    <literal>+</literal> character, then the operating system user can login as
 | |
|    any user belonging to that role, similarly to how user names beginning with
 | |
|    <literal>+</literal> are treated in <literal>pg_hba.conf</literal>.
 | |
|    Thus, a <literal>+</literal> mark means <quote>match any of the roles that
 | |
|    are directly or indirectly members of this role</quote>, while a name
 | |
|    without a <literal>+</literal> mark matches only that specific role. Quoting
 | |
|    a username starting with a <literal>+</literal> makes the
 | |
|    <literal>+</literal> lose its special meaning.
 | |
|   </para>
 | |
|   <para>
 | |
|    If the <replaceable>system-username</replaceable> field starts with a slash (<literal>/</literal>),
 | |
|    the remainder of the field is treated as a regular expression.
 | |
|    (See <xref linkend="posix-syntax-details"/> for details of
 | |
|    <productname>PostgreSQL</productname>'s regular expression syntax.)  The regular
 | |
|    expression can include a single capture, or parenthesized subexpression.
 | |
|    The portion of the system user name that matched the capture can then
 | |
|    be referenced in the <replaceable>database-username</replaceable>
 | |
|    field as <literal>\1</literal> (backslash-one).  This allows the mapping of
 | |
|    multiple user names in a single line, which is particularly useful for
 | |
|    simple syntax substitutions.  For example, these entries
 | |
| <programlisting>
 | |
| mymap   /^(.*)@mydomain\.com$      \1
 | |
| mymap   /^(.*)@otherdomain\.com$   guest
 | |
| </programlisting>
 | |
|    will remove the domain part for users with system user names that end with
 | |
|    <literal>@mydomain.com</literal>, and allow any user whose system name ends with
 | |
|    <literal>@otherdomain.com</literal> to log in as <literal>guest</literal>.
 | |
|    Quoting a <replaceable>database-username</replaceable> containing
 | |
|    <literal>\1</literal> <emphasis>does not</emphasis> make
 | |
|    <literal>\1</literal> lose its special meaning.
 | |
|   </para>
 | |
|   <para>
 | |
|    If the <replaceable>database-username</replaceable> field starts with
 | |
|    a slash (<literal>/</literal>), the remainder of the field is treated
 | |
|    as a regular expression.
 | |
|    When the <replaceable>database-username</replaceable> field is a regular
 | |
|    expression, it is not possible to use <literal>\1</literal> within it to
 | |
|    refer to a capture from the <replaceable>system-username</replaceable>
 | |
|    field.
 | |
|   </para>
 | |
| 
 | |
|   <tip>
 | |
|    <para>
 | |
|     Keep in mind that by default, a regular expression can match just part of
 | |
|     a string.  It's usually wise to use <literal>^</literal> and <literal>$</literal>, as
 | |
|     shown in the above example, to force the match to be to the entire
 | |
|     system user name.
 | |
|    </para>
 | |
|   </tip>
 | |
| 
 | |
|   <para>
 | |
|    A <filename>pg_ident.conf</filename> file that could be used in
 | |
|    conjunction with the <filename>pg_hba.conf</filename> file in <xref
 | |
|    linkend="example-pg-hba.conf"/> is shown in <xref
 | |
|    linkend="example-pg-ident.conf"/>. In this example, anyone
 | |
|    logged in to a machine on the 192.168 network that does not have the
 | |
|    operating system user name <literal>bryanh</literal>, <literal>ann</literal>, or
 | |
|    <literal>robert</literal> would not be granted access. Unix user
 | |
|    <literal>robert</literal> would only be allowed access when he tries to
 | |
|    connect as <productname>PostgreSQL</productname> user <literal>bob</literal>, not
 | |
|    as <literal>robert</literal> or anyone else. <literal>ann</literal> would
 | |
|    only be allowed to connect as <literal>ann</literal>. User
 | |
|    <literal>bryanh</literal> would be allowed to connect as either
 | |
|    <literal>bryanh</literal> or as <literal>guest1</literal>.
 | |
|   </para>
 | |
| 
 | |
|   <example id="example-pg-ident.conf">
 | |
|    <title>An Example <filename>pg_ident.conf</filename> File</title>
 | |
| <programlisting>
 | |
| # MAPNAME       SYSTEM-USERNAME         PG-USERNAME
 | |
| 
 | |
| omicron         bryanh                  bryanh
 | |
| omicron         ann                     ann
 | |
| # bob has user name robert on these machines
 | |
| omicron         robert                  bob
 | |
| # bryanh can also connect as guest1
 | |
| omicron         bryanh                  guest1
 | |
| </programlisting>
 | |
|   </example>
 | |
|  </sect1>
 | |
| 
 | |
|  <sect1 id="auth-methods">
 | |
|   <title>Authentication Methods</title>
 | |
| 
 | |
|   <para>
 | |
|    <productname>PostgreSQL</productname> provides various methods for
 | |
|    authenticating users:
 | |
| 
 | |
|    <itemizedlist>
 | |
|     <listitem>
 | |
|      <para>
 | |
|       <link linkend="auth-trust">Trust authentication</link>, which
 | |
|       simply trusts that users are who they say they are.
 | |
|      </para>
 | |
|     </listitem>
 | |
|     <listitem>
 | |
|      <para>
 | |
|       <link linkend="auth-password">Password authentication</link>, which
 | |
|       requires that users send a password.
 | |
|      </para>
 | |
|     </listitem>
 | |
|     <listitem>
 | |
|      <para>
 | |
|       <link linkend="gssapi-auth">GSSAPI authentication</link>, which
 | |
|       relies on a GSSAPI-compatible security library.  Typically this is
 | |
|       used to access an authentication server such as a Kerberos or
 | |
|       Microsoft Active Directory server.
 | |
|      </para>
 | |
|     </listitem>
 | |
|     <listitem>
 | |
|      <para>
 | |
|       <link linkend="sspi-auth">SSPI authentication</link>, which
 | |
|       uses a Windows-specific protocol similar to GSSAPI.
 | |
|      </para>
 | |
|     </listitem>
 | |
|     <listitem>
 | |
|      <para>
 | |
|       <link linkend="auth-ident">Ident authentication</link>, which
 | |
|       relies on an <quote>Identification Protocol</quote>
 | |
|       (<ulink url="https://datatracker.ietf.org/doc/html/rfc1413">RFC 1413</ulink>)
 | |
|       service on the client's machine.  (On local Unix-socket connections,
 | |
|       this is treated as peer authentication.)
 | |
|      </para>
 | |
|     </listitem>
 | |
|     <listitem>
 | |
|      <para>
 | |
|       <link linkend="auth-peer">Peer authentication</link>, which
 | |
|       relies on operating system facilities to identify the process at the
 | |
|       other end of a local connection.  This is not supported for remote
 | |
|       connections.
 | |
|      </para>
 | |
|     </listitem>
 | |
|     <listitem>
 | |
|      <para>
 | |
|       <link linkend="auth-ldap">LDAP authentication</link>, which
 | |
|       relies on an LDAP authentication server.
 | |
|      </para>
 | |
|     </listitem>
 | |
|     <listitem>
 | |
|      <para>
 | |
|       <link linkend="auth-radius">RADIUS authentication</link>, which
 | |
|       relies on a RADIUS authentication server.
 | |
|      </para>
 | |
|     </listitem>
 | |
|     <listitem>
 | |
|      <para>
 | |
|       <link linkend="auth-cert">Certificate authentication</link>, which
 | |
|       requires an SSL connection and authenticates users by checking the
 | |
|       SSL certificate they send.
 | |
|      </para>
 | |
|     </listitem>
 | |
|     <listitem>
 | |
|      <para>
 | |
|       <link linkend="auth-pam">PAM authentication</link>, which
 | |
|       relies on a PAM (Pluggable Authentication Modules) library.
 | |
|      </para>
 | |
|     </listitem>
 | |
|     <listitem>
 | |
|      <para>
 | |
|       <link linkend="auth-bsd">BSD authentication</link>, which
 | |
|       relies on the BSD Authentication framework (currently available
 | |
|       only on OpenBSD).
 | |
|      </para>
 | |
|     </listitem>
 | |
|     <listitem>
 | |
|      <para>
 | |
|       <link linkend="auth-oauth">OAuth authorization/authentication</link>,
 | |
|       which relies on an external OAuth 2.0 identity provider.
 | |
|      </para>
 | |
|     </listitem>
 | |
|    </itemizedlist>
 | |
|   </para>
 | |
| 
 | |
|   <para>
 | |
|    Peer authentication is usually recommendable for local connections,
 | |
|    though trust authentication might be sufficient in some circumstances.
 | |
|    Password authentication is the easiest choice for remote connections.
 | |
|    All the other options require some kind of external security
 | |
|    infrastructure (usually an authentication server or a certificate
 | |
|    authority for issuing SSL certificates), or are platform-specific.
 | |
|   </para>
 | |
| 
 | |
|   <para>
 | |
|    The following sections describe each of these authentication methods
 | |
|    in more detail.
 | |
|   </para>
 | |
|  </sect1>
 | |
| 
 | |
|   <sect1 id="auth-trust">
 | |
|    <title>Trust Authentication</title>
 | |
| 
 | |
|    <para>
 | |
|     When <literal>trust</literal> authentication is specified,
 | |
|     <productname>PostgreSQL</productname> assumes that anyone who can
 | |
|     connect to the server is authorized to access the database with
 | |
|     whatever database user name they specify (even superuser names).
 | |
|     Of course, restrictions made in the <literal>database</literal> and
 | |
|     <literal>user</literal> columns still apply.
 | |
|     This method should only be used when there is adequate
 | |
|     operating-system-level protection on connections to the server.
 | |
|    </para>
 | |
| 
 | |
|    <para>
 | |
|     <literal>trust</literal> authentication is appropriate and very
 | |
|     convenient for local connections on a single-user workstation.  It
 | |
|     is usually <emphasis>not</emphasis> appropriate by itself on a multiuser
 | |
|     machine.  However, you might be able to use <literal>trust</literal> even
 | |
|     on a multiuser machine, if you restrict access to the server's
 | |
|     Unix-domain socket file using file-system permissions.  To do this, set the
 | |
|     <varname>unix_socket_permissions</varname> (and possibly
 | |
|     <varname>unix_socket_group</varname>) configuration parameters as
 | |
|     described in <xref linkend="runtime-config-connection"/>.  Or you
 | |
|     could set the <varname>unix_socket_directories</varname>
 | |
|     configuration parameter to place the socket file in a suitably
 | |
|     restricted directory.
 | |
|    </para>
 | |
| 
 | |
|    <para>
 | |
|     Setting file-system permissions only helps for Unix-socket connections.
 | |
|     Local TCP/IP connections are not restricted by file-system permissions.
 | |
|     Therefore, if you want to use file-system permissions for local security,
 | |
|     remove the <literal>host ... 127.0.0.1 ...</literal> line from
 | |
|     <filename>pg_hba.conf</filename>, or change it to a
 | |
|     non-<literal>trust</literal> authentication method.
 | |
|    </para>
 | |
| 
 | |
|    <para>
 | |
|     <literal>trust</literal> authentication is only suitable for TCP/IP connections
 | |
|     if you trust every user on every machine that is allowed to connect
 | |
|     to the server by the <filename>pg_hba.conf</filename> lines that specify
 | |
|     <literal>trust</literal>.  It is seldom reasonable to use <literal>trust</literal>
 | |
|     for any TCP/IP connections other than those from <systemitem>localhost</systemitem> (127.0.0.1).
 | |
|    </para>
 | |
| 
 | |
|   </sect1>
 | |
| 
 | |
|   <sect1 id="auth-password">
 | |
|    <title>Password Authentication</title>
 | |
| 
 | |
|    <indexterm>
 | |
|     <primary>MD5</primary>
 | |
|    </indexterm>
 | |
|    <indexterm>
 | |
|     <primary>SCRAM</primary>
 | |
|    </indexterm>
 | |
|    <indexterm>
 | |
|     <primary>password</primary>
 | |
|     <secondary>authentication</secondary>
 | |
|    </indexterm>
 | |
| 
 | |
|    <para>
 | |
|     There are several password-based authentication methods.  These methods
 | |
|     operate similarly but differ in how the users' passwords are stored on the
 | |
|     server and how the password provided by a client is sent across the
 | |
|     connection.
 | |
|    </para>
 | |
| 
 | |
|    <variablelist>
 | |
|     <varlistentry>
 | |
|      <term><literal>scram-sha-256</literal></term>
 | |
|      <listitem>
 | |
|       <para>
 | |
|        The method <literal>scram-sha-256</literal> performs SCRAM-SHA-256
 | |
|        authentication, as described in
 | |
|        <ulink url="https://datatracker.ietf.org/doc/html/rfc7677">RFC 7677</ulink>.  It
 | |
|        is a challenge-response scheme that prevents password sniffing on
 | |
|        untrusted connections and supports storing passwords on the server in a
 | |
|        cryptographically hashed form that is thought to be secure.
 | |
|       </para>
 | |
| 
 | |
|       <para>
 | |
|        This is the most secure of the currently provided methods, but it is
 | |
|        not supported by older client libraries.
 | |
|       </para>
 | |
|      </listitem>
 | |
|     </varlistentry>
 | |
| 
 | |
|     <varlistentry>
 | |
|      <term><literal>md5</literal></term>
 | |
|      <listitem>
 | |
|       <para>
 | |
|        The method <literal>md5</literal> uses a custom less secure challenge-response
 | |
|        mechanism.  It prevents password sniffing and avoids storing passwords
 | |
|        on the server in plain text but provides no protection if an attacker
 | |
|        manages to steal the password hash from the server.  Also, the MD5 hash
 | |
|        algorithm is nowadays no longer considered secure against determined
 | |
|        attacks.
 | |
|       </para>
 | |
| 
 | |
|       <para>
 | |
|        To ease transition from the <literal>md5</literal> method to the newer
 | |
|        SCRAM method, if <literal>md5</literal> is specified as a method
 | |
|        in <filename>pg_hba.conf</filename> but the user's password on the
 | |
|        server is encrypted for SCRAM (see below), then SCRAM-based
 | |
|        authentication will automatically be chosen instead.
 | |
|       </para>
 | |
| 
 | |
|       <warning>
 | |
|        <para>
 | |
|         Support for MD5-encrypted passwords is deprecated and will be removed
 | |
|         in a future release of <productname>PostgreSQL</productname>.  Refer to
 | |
|         the text below for details about migrating to another password type.
 | |
|        </para>
 | |
|       </warning>
 | |
|      </listitem>
 | |
|     </varlistentry>
 | |
| 
 | |
|     <varlistentry>
 | |
|      <term><literal>password</literal></term>
 | |
|      <listitem>
 | |
|       <para>
 | |
|        The method <literal>password</literal> sends the password in clear-text and is
 | |
|        therefore vulnerable to password <quote>sniffing</quote> attacks. It should
 | |
|        always be avoided if possible. If the connection is protected by SSL
 | |
|        encryption then <literal>password</literal> can be used safely, though.
 | |
|        (Though SSL certificate authentication might be a better choice if one
 | |
|        is depending on using SSL).
 | |
|       </para>
 | |
|      </listitem>
 | |
|     </varlistentry>
 | |
|    </variablelist>
 | |
| 
 | |
|    <para>
 | |
|     <productname>PostgreSQL</productname> database passwords are
 | |
|     separate from operating system user passwords. The password for
 | |
|     each database user is stored in the <literal>pg_authid</literal> system
 | |
|     catalog. Passwords can be managed with the SQL commands
 | |
|     <xref linkend="sql-createrole"/> and
 | |
|     <xref linkend="sql-alterrole"/>,
 | |
|     e.g., <userinput>CREATE ROLE foo WITH LOGIN PASSWORD 'secret'</userinput>,
 | |
|     or the <application>psql</application>
 | |
|     command <literal>\password</literal>.
 | |
|     If no password has been set up for a user, the stored password
 | |
|     is null and password authentication will always fail for that user.
 | |
|    </para>
 | |
| 
 | |
|    <para>
 | |
|     The availability of the different password-based authentication methods
 | |
|     depends on how a user's password on the server is encrypted (or hashed,
 | |
|     more accurately).  This is controlled by the configuration
 | |
|     parameter <xref linkend="guc-password-encryption"/> at the time the
 | |
|     password is set.  If a password was encrypted using
 | |
|     the <literal>scram-sha-256</literal> setting, then it can be used for the
 | |
|     authentication methods <literal>scram-sha-256</literal>
 | |
|     and <literal>password</literal> (but password transmission will be in
 | |
|     plain text in the latter case).  The authentication method
 | |
|     specification <literal>md5</literal> will automatically switch to using
 | |
|     the <literal>scram-sha-256</literal> method in this case, as explained
 | |
|     above, so it will also work.  If a password was encrypted using
 | |
|     the <literal>md5</literal> setting, then it can be used only for
 | |
|     the <literal>md5</literal> and <literal>password</literal> authentication
 | |
|     method specifications (again, with the password transmitted in plain text
 | |
|     in the latter case).  (Previous PostgreSQL releases supported storing the
 | |
|     password on the server in plain text.  This is no longer possible.)  To
 | |
|     check the currently stored password hashes, see the system
 | |
|     catalog <literal>pg_authid</literal>.
 | |
|    </para>
 | |
| 
 | |
|    <para>
 | |
|     To upgrade an existing installation from <literal>md5</literal>
 | |
|     to <literal>scram-sha-256</literal>, after having ensured that all client
 | |
|     libraries in use are new enough to support SCRAM,
 | |
|     set <literal>password_encryption = 'scram-sha-256'</literal>
 | |
|     in <filename>postgresql.conf</filename>, make all users set new passwords,
 | |
|     and change the authentication method specifications
 | |
|     in <filename>pg_hba.conf</filename> to <literal>scram-sha-256</literal>.
 | |
|    </para>
 | |
|   </sect1>
 | |
| 
 | |
|   <sect1 id="gssapi-auth">
 | |
|    <title>GSSAPI Authentication</title>
 | |
| 
 | |
|    <indexterm zone="gssapi-auth">
 | |
|     <primary>GSSAPI</primary>
 | |
|    </indexterm>
 | |
| 
 | |
|    <para>
 | |
|     <productname>GSSAPI</productname> is an industry-standard protocol
 | |
|     for secure authentication defined in
 | |
|     <ulink url="https://datatracker.ietf.org/doc/html/rfc2743">RFC 2743</ulink>.
 | |
|     <productname>PostgreSQL</productname>
 | |
|     supports <productname>GSSAPI</productname> for authentication,
 | |
|     communications encryption, or both.
 | |
|     <productname>GSSAPI</productname> provides automatic authentication
 | |
|     (single sign-on) for systems that support it. The authentication itself is
 | |
|     secure.  If <productname>GSSAPI</productname> encryption
 | |
|     or <acronym>SSL</acronym> encryption is
 | |
|     used, the data sent along the database connection will be encrypted;
 | |
|     otherwise, it will not.
 | |
|    </para>
 | |
| 
 | |
|    <para>
 | |
|     GSSAPI support has to be enabled when <productname>PostgreSQL</productname> is built;
 | |
|     see <xref linkend="installation"/> for more information.
 | |
|    </para>
 | |
| 
 | |
|    <para>
 | |
|     When <productname>GSSAPI</productname> uses
 | |
|     <productname>Kerberos</productname>, it uses a standard service
 | |
|     principal (authentication identity) name in the format
 | |
|     <literal><replaceable>servicename</replaceable>/<replaceable>hostname</replaceable>@<replaceable>realm</replaceable></literal>.
 | |
|     The principal name used by a particular installation is not encoded in
 | |
|     the <productname>PostgreSQL</productname> server in any way; rather it
 | |
|     is specified in the <firstterm>keytab</firstterm> file that the server
 | |
|     reads to determine its identity.  If multiple principals are listed in
 | |
|     the keytab file, the server will accept any one of them.
 | |
|     The server's realm name is the preferred realm specified in the Kerberos
 | |
|     configuration file(s) accessible to the server.
 | |
|    </para>
 | |
| 
 | |
|    <para>
 | |
|     When connecting, the client must know the principal name of the server
 | |
|     it intends to connect to.  The <replaceable>servicename</replaceable>
 | |
|     part of the principal is ordinarily <literal>postgres</literal>,
 | |
|     but another value can be selected via <application>libpq</application>'s
 | |
|     <xref linkend="libpq-connect-krbsrvname"/> connection parameter.
 | |
|     The <replaceable>hostname</replaceable> part is the fully qualified
 | |
|     host name that <application>libpq</application> is told to connect to.
 | |
|     The realm name is the preferred realm specified in the Kerberos
 | |
|     configuration file(s) accessible to the client.
 | |
|    </para>
 | |
| 
 | |
|    <para>
 | |
|     The client will also have a principal name for its own identity
 | |
|     (and it must have a valid ticket for this principal).  To
 | |
|     use <productname>GSSAPI</productname> for authentication, the client
 | |
|     principal must be associated with
 | |
|     a <productname>PostgreSQL</productname> database user name.
 | |
|     The <filename>pg_ident.conf</filename> configuration file can be used
 | |
|     to map principals to user names; for example,
 | |
|     <literal>pgusername@realm</literal> could be mapped to just <literal>pgusername</literal>.
 | |
|     Alternatively, you can use the full <literal>username@realm</literal> principal as
 | |
|     the role name in <productname>PostgreSQL</productname> without any mapping.
 | |
|    </para>
 | |
| 
 | |
|    <para>
 | |
|     <productname>PostgreSQL</productname> also supports mapping
 | |
|     client principals to user names by just stripping the realm from
 | |
|     the principal.  This method is supported for backwards compatibility and is
 | |
|     strongly discouraged as it is then impossible to distinguish different users
 | |
|     with the same user name but coming from different realms.  To enable this,
 | |
|     set <literal>include_realm</literal> to 0.  For simple single-realm
 | |
|     installations, doing that combined with setting the
 | |
|     <literal>krb_realm</literal> parameter (which checks that the principal's realm
 | |
|     matches exactly what is in the <literal>krb_realm</literal> parameter)
 | |
|     is still secure; but this is a
 | |
|     less capable approach compared to specifying an explicit mapping in
 | |
|     <filename>pg_ident.conf</filename>.
 | |
|    </para>
 | |
| 
 | |
|    <para>
 | |
|     The location of the server's keytab file is specified by the <xref
 | |
|     linkend="guc-krb-server-keyfile"/> configuration parameter.
 | |
|     For security reasons, it is recommended to use a separate keytab
 | |
|     just for the <productname>PostgreSQL</productname> server rather
 | |
|     than allowing the server to read the system keytab file.
 | |
|     Make sure that your server keytab file is readable (and preferably
 | |
|     only readable, not writable) by the <productname>PostgreSQL</productname>
 | |
|     server account.  (See also <xref linkend="postgres-user"/>.)
 | |
|    </para>
 | |
| 
 | |
|    <para>
 | |
|     The keytab file is generated using the Kerberos software; see the
 | |
|     Kerberos documentation for details. The following example shows
 | |
|     doing this using the <application>kadmin</application> tool of
 | |
|     MIT Kerberos:
 | |
| <screen>
 | |
| <prompt>kadmin% </prompt><userinput>addprinc -randkey postgres/server.my.domain.org</userinput>
 | |
| <prompt>kadmin% </prompt><userinput>ktadd -k krb5.keytab postgres/server.my.domain.org</userinput>
 | |
| </screen>
 | |
|    </para>
 | |
| 
 | |
|    <para>
 | |
|     The following authentication options are supported for
 | |
|     the <productname>GSSAPI</productname> authentication method:
 | |
|     <variablelist>
 | |
|      <varlistentry>
 | |
|       <term><literal>include_realm</literal></term>
 | |
|       <listitem>
 | |
|        <para>
 | |
|         If set to 0, the realm name from the authenticated user principal is
 | |
|         stripped off before being passed through the user name mapping
 | |
|         (<xref linkend="auth-username-maps"/>). This is discouraged and is
 | |
|         primarily available for backwards compatibility, as it is not secure
 | |
|         in multi-realm environments unless <literal>krb_realm</literal> is
 | |
|         also used.  It is recommended to
 | |
|         leave <literal>include_realm</literal> set to the default (1) and to
 | |
|         provide an explicit mapping in <filename>pg_ident.conf</filename> to convert
 | |
|         principal names to <productname>PostgreSQL</productname> user names.
 | |
|        </para>
 | |
|       </listitem>
 | |
|      </varlistentry>
 | |
| 
 | |
|      <varlistentry>
 | |
|       <term><literal>map</literal></term>
 | |
|       <listitem>
 | |
|        <para>
 | |
|         Allows mapping from client principals to database user names. See
 | |
|         <xref linkend="auth-username-maps"/> for details.  For a GSSAPI/Kerberos
 | |
|         principal, such as <literal>username@EXAMPLE.COM</literal> (or, less
 | |
|         commonly, <literal>username/hostbased@EXAMPLE.COM</literal>), the
 | |
|         user name used for mapping is
 | |
|         <literal>username@EXAMPLE.COM</literal> (or
 | |
|         <literal>username/hostbased@EXAMPLE.COM</literal>, respectively),
 | |
|         unless <literal>include_realm</literal> has been set to 0, in which case
 | |
|         <literal>username</literal> (or <literal>username/hostbased</literal>)
 | |
|         is what is seen as the system user name when mapping.
 | |
|        </para>
 | |
|       </listitem>
 | |
|      </varlistentry>
 | |
| 
 | |
|      <varlistentry>
 | |
|       <term><literal>krb_realm</literal></term>
 | |
|       <listitem>
 | |
|        <para>
 | |
|         Sets the realm to match user principal names against. If this parameter
 | |
|         is set, only users of that realm will be accepted.  If it is not set,
 | |
|         users of any realm can connect, subject to whatever user name mapping
 | |
|         is done.
 | |
|        </para>
 | |
|       </listitem>
 | |
|      </varlistentry>
 | |
|     </variablelist>
 | |
|    </para>
 | |
| 
 | |
|    <para>
 | |
|     In addition to these settings, which can be different for
 | |
|     different <filename>pg_hba.conf</filename> entries, there is the
 | |
|     server-wide <xref linkend="guc-krb-caseins-users"/> configuration
 | |
|     parameter.  If that is set to true, client principals are matched to
 | |
|     user map entries case-insensitively.  <literal>krb_realm</literal>, if
 | |
|     set, is also matched case-insensitively.
 | |
|    </para>
 | |
|   </sect1>
 | |
| 
 | |
|   <sect1 id="sspi-auth">
 | |
|    <title>SSPI Authentication</title>
 | |
| 
 | |
|    <indexterm zone="sspi-auth">
 | |
|     <primary>SSPI</primary>
 | |
|    </indexterm>
 | |
| 
 | |
|    <para>
 | |
|     <productname>SSPI</productname> is a <productname>Windows</productname>
 | |
|     technology for secure authentication with single sign-on.
 | |
|     <productname>PostgreSQL</productname> will use SSPI in
 | |
|     <literal>negotiate</literal> mode, which will use
 | |
|     <productname>Kerberos</productname> when possible and automatically
 | |
|     fall back to <productname>NTLM</productname> in other cases.
 | |
|     <productname>SSPI</productname> and <productname>GSSAPI</productname>
 | |
|     interoperate as clients and servers, e.g., an
 | |
|     <productname>SSPI</productname> client can authenticate to an
 | |
|     <productname>GSSAPI</productname> server.  It is recommended to use
 | |
|     <productname>SSPI</productname> on Windows clients and servers and
 | |
|     <productname>GSSAPI</productname> on non-Windows platforms.
 | |
|    </para>
 | |
| 
 | |
|    <para>
 | |
|     When using <productname>Kerberos</productname> authentication,
 | |
|     <productname>SSPI</productname> works the same way
 | |
|     <productname>GSSAPI</productname> does; see <xref linkend="gssapi-auth"/>
 | |
|     for details.
 | |
|    </para>
 | |
| 
 | |
|    <para>
 | |
|     The following configuration options are supported for <productname>SSPI</productname>:
 | |
|     <variablelist>
 | |
| 
 | |
|      <varlistentry>
 | |
|       <term><literal>include_realm</literal></term>
 | |
|       <listitem>
 | |
|        <para>
 | |
|         If set to 0, the realm name from the authenticated user principal is
 | |
|         stripped off before being passed through the user name mapping
 | |
|         (<xref linkend="auth-username-maps"/>). This is discouraged and is
 | |
|         primarily available for backwards compatibility, as it is not secure
 | |
|         in multi-realm environments unless <literal>krb_realm</literal> is
 | |
|         also used.  It is recommended to
 | |
|         leave <literal>include_realm</literal> set to the default (1) and to
 | |
|         provide an explicit mapping in <filename>pg_ident.conf</filename> to convert
 | |
|         principal names to <productname>PostgreSQL</productname> user names.
 | |
|        </para>
 | |
|       </listitem>
 | |
|      </varlistentry>
 | |
| 
 | |
|      <varlistentry>
 | |
|       <term><literal>compat_realm</literal></term>
 | |
|       <listitem>
 | |
|        <para>
 | |
|         If set to 1, the domain's SAM-compatible name (also known as the
 | |
|         NetBIOS name) is used for the <literal>include_realm</literal>
 | |
|         option. This is the default. If set to 0, the true realm name from
 | |
|         the Kerberos user principal name is used.
 | |
|        </para>
 | |
|        <para>
 | |
|         Do not disable this option unless your server runs under a domain
 | |
|         account (this includes virtual service accounts on a domain member
 | |
|         system) and all clients authenticating through SSPI are also using
 | |
|         domain accounts, or authentication will fail.
 | |
|        </para>
 | |
|       </listitem>
 | |
|      </varlistentry>
 | |
| 
 | |
|      <varlistentry>
 | |
|       <term><literal>upn_username</literal></term>
 | |
|       <listitem>
 | |
|        <para>
 | |
|         If this option is enabled along with <literal>compat_realm</literal>,
 | |
|         the user name from the Kerberos UPN is used for authentication. If
 | |
|         it is disabled (the default), the SAM-compatible user name is used.
 | |
|         By default, these two names are identical for new user accounts.
 | |
|        </para>
 | |
|        <para>
 | |
|         Note that <application>libpq</application> uses the SAM-compatible name if no
 | |
|         explicit user name is specified. If you use
 | |
|         <application>libpq</application> or a driver based on it, you should
 | |
|         leave this option disabled or explicitly specify user name in the
 | |
|         connection string.
 | |
|        </para>
 | |
|       </listitem>
 | |
|      </varlistentry>
 | |
| 
 | |
|      <varlistentry>
 | |
|       <term><literal>map</literal></term>
 | |
|       <listitem>
 | |
|        <para>
 | |
|         Allows for mapping between system and database user names. See
 | |
|         <xref linkend="auth-username-maps"/> for details.  For an SSPI/Kerberos
 | |
|         principal, such as <literal>username@EXAMPLE.COM</literal> (or, less
 | |
|         commonly, <literal>username/hostbased@EXAMPLE.COM</literal>), the
 | |
|         user name used for mapping is
 | |
|         <literal>username@EXAMPLE.COM</literal> (or
 | |
|         <literal>username/hostbased@EXAMPLE.COM</literal>, respectively),
 | |
|         unless <literal>include_realm</literal> has been set to 0, in which case
 | |
|         <literal>username</literal> (or <literal>username/hostbased</literal>)
 | |
|         is what is seen as the system user name when mapping.
 | |
|        </para>
 | |
|       </listitem>
 | |
|      </varlistentry>
 | |
| 
 | |
|      <varlistentry>
 | |
|       <term><literal>krb_realm</literal></term>
 | |
|       <listitem>
 | |
|        <para>
 | |
|         Sets the realm to match user principal names against. If this parameter
 | |
|         is set, only users of that realm will be accepted.  If it is not set,
 | |
|         users of any realm can connect, subject to whatever user name mapping
 | |
|         is done.
 | |
|        </para>
 | |
|       </listitem>
 | |
|      </varlistentry>
 | |
|     </variablelist>
 | |
|    </para>
 | |
|   </sect1>
 | |
| 
 | |
|   <sect1 id="auth-ident">
 | |
|    <title>Ident Authentication</title>
 | |
| 
 | |
|    <indexterm>
 | |
|     <primary>ident</primary>
 | |
|    </indexterm>
 | |
| 
 | |
|    <para>
 | |
|     The ident authentication method works by obtaining the client's
 | |
|     operating system user name from an ident server and using it as
 | |
|     the allowed database user name (with an optional user name mapping).
 | |
|     This is only supported on TCP/IP connections.
 | |
|    </para>
 | |
| 
 | |
|    <note>
 | |
|     <para>
 | |
|      When ident is specified for a local (non-TCP/IP) connection,
 | |
|      peer authentication (see <xref linkend="auth-peer"/>) will be
 | |
|      used instead.
 | |
|     </para>
 | |
|    </note>
 | |
| 
 | |
|    <para>
 | |
|     The following configuration options are supported for <literal>ident</literal>:
 | |
|     <variablelist>
 | |
|      <varlistentry>
 | |
|       <term><literal>map</literal></term>
 | |
|       <listitem>
 | |
|        <para>
 | |
|         Allows for mapping between system and database user names. See
 | |
|         <xref linkend="auth-username-maps"/> for details.
 | |
|        </para>
 | |
|       </listitem>
 | |
|      </varlistentry>
 | |
|     </variablelist>
 | |
|    </para>
 | |
| 
 | |
|    <para>
 | |
|     The <quote>Identification Protocol</quote> is described in
 | |
|     <ulink url="https://datatracker.ietf.org/doc/html/rfc1413">RFC 1413</ulink>.
 | |
|     Virtually every Unix-like
 | |
|     operating system ships with an ident server that listens on TCP
 | |
|     port 113 by default. The basic functionality of an ident server
 | |
|     is to answer questions like <quote>What user initiated the
 | |
|     connection that goes out of your port <replaceable>X</replaceable>
 | |
|     and connects to my port <replaceable>Y</replaceable>?</quote>.
 | |
|     Since <productname>PostgreSQL</productname> knows both <replaceable>X</replaceable> and
 | |
|     <replaceable>Y</replaceable> when a physical connection is established, it
 | |
|     can interrogate the ident server on the host of the connecting
 | |
|     client and can theoretically determine the operating system user
 | |
|     for any given connection.
 | |
|    </para>
 | |
| 
 | |
|    <para>
 | |
|     The drawback of this procedure is that it depends on the integrity
 | |
|     of the client: if the client machine is untrusted or compromised,
 | |
|     an attacker could run just about any program on port 113 and
 | |
|     return any user name they choose. This authentication method is
 | |
|     therefore only appropriate for closed networks where each client
 | |
|     machine is under tight control and where the database and system
 | |
|     administrators operate in close contact. In other words, you must
 | |
|     trust the machine running the ident server.
 | |
|     Heed the warning:
 | |
|     <blockquote>
 | |
|      <attribution>RFC 1413</attribution>
 | |
|      <para>
 | |
|       The Identification Protocol is not intended as an authorization
 | |
|       or access control protocol.
 | |
|      </para>
 | |
|     </blockquote>
 | |
|    </para>
 | |
| 
 | |
|    <para>
 | |
|     Some ident servers have a nonstandard option that causes the returned
 | |
|     user name to be encrypted, using a key that only the originating
 | |
|     machine's administrator knows.  This option <emphasis>must not</emphasis> be
 | |
|     used when using the ident server with <productname>PostgreSQL</productname>,
 | |
|     since <productname>PostgreSQL</productname> does not have any way to decrypt the
 | |
|     returned string to determine the actual user name.
 | |
|    </para>
 | |
|   </sect1>
 | |
| 
 | |
|   <sect1 id="auth-peer">
 | |
|    <title>Peer Authentication</title>
 | |
| 
 | |
|    <indexterm>
 | |
|     <primary>peer</primary>
 | |
|    </indexterm>
 | |
| 
 | |
|    <para>
 | |
|     The peer authentication method works by obtaining the client's
 | |
|     operating system user name from the kernel and using it as the
 | |
|     allowed database user name (with optional user name mapping). This
 | |
|     method is only supported on local connections.
 | |
|    </para>
 | |
| 
 | |
|    <para>
 | |
|     The following configuration options are supported for <literal>peer</literal>:
 | |
|     <variablelist>
 | |
|      <varlistentry>
 | |
|       <term><literal>map</literal></term>
 | |
|       <listitem>
 | |
|        <para>
 | |
|         Allows for mapping between system and database user names. See
 | |
|         <xref linkend="auth-username-maps"/> for details.
 | |
|        </para>
 | |
|       </listitem>
 | |
|      </varlistentry>
 | |
|     </variablelist>
 | |
|    </para>
 | |
| 
 | |
|    <para>
 | |
|     Peer authentication is only available on operating systems providing
 | |
|     the <function>getpeereid()</function> function, the <symbol>SO_PEERCRED</symbol>
 | |
|     socket parameter, or similar mechanisms.  Currently that includes
 | |
|     <systemitem class="osname">Linux</systemitem>,
 | |
|     most flavors of <systemitem class="osname">BSD</systemitem> including
 | |
|     <systemitem class="osname">macOS</systemitem>,
 | |
|     and <systemitem class="osname">Solaris</systemitem>.
 | |
|    </para>
 | |
| 
 | |
|   </sect1>
 | |
| 
 | |
|   <sect1 id="auth-ldap">
 | |
|    <title>LDAP Authentication</title>
 | |
| 
 | |
|    <indexterm zone="auth-ldap">
 | |
|     <primary>LDAP</primary>
 | |
|    </indexterm>
 | |
| 
 | |
|    <para>
 | |
|     This authentication method operates similarly to
 | |
|     <literal>password</literal> except that it uses LDAP
 | |
|     as the password verification method. LDAP is used only to validate
 | |
|     the user name/password pairs. Therefore the user must already
 | |
|     exist in the database before LDAP can be used for
 | |
|     authentication.
 | |
|    </para>
 | |
| 
 | |
|    <para>
 | |
|     LDAP authentication can operate in two modes. In the first mode,
 | |
|     which we will call the simple bind mode,
 | |
|     the server will bind to the distinguished name constructed as
 | |
|     <replaceable>prefix</replaceable> <replaceable>username</replaceable> <replaceable>suffix</replaceable>.
 | |
|     Typically, the <replaceable>prefix</replaceable> parameter is used to specify
 | |
|     <literal>cn=</literal>, or <replaceable>DOMAIN</replaceable><literal>\</literal> in an Active
 | |
|     Directory environment.  <replaceable>suffix</replaceable> is used to specify the
 | |
|     remaining part of the DN in a non-Active Directory environment.
 | |
|    </para>
 | |
| 
 | |
|    <para>
 | |
|     In the second mode, which we will call the search+bind mode,
 | |
|     the server first binds to the LDAP directory with
 | |
|     a fixed user name and password, specified with <replaceable>ldapbinddn</replaceable>
 | |
|     and <replaceable>ldapbindpasswd</replaceable>, and performs a search for the user trying
 | |
|     to log in to the database. If no user and password is configured, an
 | |
|     anonymous bind will be attempted to the directory. The search will be
 | |
|     performed over the subtree at <replaceable>ldapbasedn</replaceable>, and will try to
 | |
|     do an exact match of the attribute specified in
 | |
|     <replaceable>ldapsearchattribute</replaceable>.
 | |
|     Once the user has been found in
 | |
|     this search, the server re-binds to the directory as
 | |
|     this user, using the password specified by the client, to verify that the
 | |
|     login is correct. This mode is the same as that used by LDAP authentication
 | |
|     schemes in other software, such as Apache <literal>mod_authnz_ldap</literal> and <literal>pam_ldap</literal>.
 | |
|     This method allows for significantly more flexibility
 | |
|     in where the user objects are located in the directory, but will cause
 | |
|     two additional requests to the LDAP server to be made.
 | |
|    </para>
 | |
| 
 | |
|    <para>
 | |
|     The following configuration options are used in both modes:
 | |
|     <variablelist>
 | |
|      <varlistentry>
 | |
|       <term><literal>ldapserver</literal></term>
 | |
|       <listitem>
 | |
|        <para>
 | |
|         Names or IP addresses of LDAP servers to connect to. Multiple
 | |
|         servers may be specified, separated by spaces.
 | |
|        </para>
 | |
|       </listitem>
 | |
|      </varlistentry>
 | |
|      <varlistentry>
 | |
|       <term><literal>ldapport</literal></term>
 | |
|       <listitem>
 | |
|        <para>
 | |
|         Port number on LDAP server to connect to. If no port is specified,
 | |
|         the LDAP library's default port setting will be used.
 | |
|        </para>
 | |
|       </listitem>
 | |
|      </varlistentry>
 | |
|      <varlistentry>
 | |
|       <term><literal>ldapscheme</literal></term>
 | |
|       <listitem>
 | |
|        <para>
 | |
|         Set to <literal>ldaps</literal> to use LDAPS.  This is a non-standard
 | |
|         way of using LDAP over SSL, supported by some LDAP server
 | |
|         implementations.  See also the <literal>ldaptls</literal> option for
 | |
|         an alternative.
 | |
|        </para>
 | |
|       </listitem>
 | |
|      </varlistentry>
 | |
|      <varlistentry>
 | |
|       <term><literal>ldaptls</literal></term>
 | |
|       <listitem>
 | |
|        <para>
 | |
|         Set to 1 to make the connection between PostgreSQL and the LDAP server
 | |
|         use TLS encryption.  This uses the <literal>StartTLS</literal>
 | |
|         operation per <ulink url="https://datatracker.ietf.org/doc/html/rfc4513">RFC 4513</ulink>.
 | |
|         See also the <literal>ldapscheme</literal> option for an alternative.
 | |
|        </para>
 | |
|       </listitem>
 | |
|      </varlistentry>
 | |
|     </variablelist>
 | |
|    </para>
 | |
| 
 | |
|    <para>
 | |
|     Note that using <literal>ldapscheme</literal> or
 | |
|     <literal>ldaptls</literal> only encrypts the traffic between the
 | |
|     PostgreSQL server and the LDAP server.  The connection between the
 | |
|     PostgreSQL server and the PostgreSQL client will still be unencrypted
 | |
|     unless SSL is used there as well.
 | |
|    </para>
 | |
| 
 | |
|    <para>
 | |
|     The following options are used in simple bind mode only:
 | |
|     <variablelist>
 | |
|      <varlistentry>
 | |
|       <term><literal>ldapprefix</literal></term>
 | |
|       <listitem>
 | |
|        <para>
 | |
|         String to prepend to the user name when forming the DN to bind as,
 | |
|         when doing simple bind authentication.
 | |
|        </para>
 | |
|       </listitem>
 | |
|      </varlistentry>
 | |
|      <varlistentry>
 | |
|       <term><literal>ldapsuffix</literal></term>
 | |
|       <listitem>
 | |
|        <para>
 | |
|         String to append to the user name when forming the DN to bind as,
 | |
|         when doing simple bind authentication.
 | |
|        </para>
 | |
|       </listitem>
 | |
|      </varlistentry>
 | |
|     </variablelist>
 | |
|    </para>
 | |
| 
 | |
|    <para>
 | |
|     The following options are used in search+bind mode only:
 | |
|     <variablelist>
 | |
|      <varlistentry>
 | |
|       <term><literal>ldapbasedn</literal></term>
 | |
|       <listitem>
 | |
|        <para>
 | |
|         Root DN to begin the search for the user in, when doing search+bind
 | |
|         authentication.
 | |
|        </para>
 | |
|       </listitem>
 | |
|      </varlistentry>
 | |
|      <varlistentry>
 | |
|       <term><literal>ldapbinddn</literal></term>
 | |
|       <listitem>
 | |
|        <para>
 | |
|         DN of user to bind to the directory with to perform the search when
 | |
|         doing search+bind authentication.
 | |
|        </para>
 | |
|       </listitem>
 | |
|      </varlistentry>
 | |
|      <varlistentry>
 | |
|       <term><literal>ldapbindpasswd</literal></term>
 | |
|       <listitem>
 | |
|        <para>
 | |
|         Password for user to bind to the directory with to perform the search
 | |
|         when doing search+bind authentication.
 | |
|        </para>
 | |
|       </listitem>
 | |
|       </varlistentry>
 | |
|       <varlistentry>
 | |
|        <term><literal>ldapsearchattribute</literal></term>
 | |
|        <listitem>
 | |
|         <para>
 | |
|          Attribute to match against the user name in the search when doing
 | |
|          search+bind authentication.  If no attribute is specified, the
 | |
|          <literal>uid</literal> attribute will be used.
 | |
|         </para>
 | |
|        </listitem>
 | |
|       </varlistentry>
 | |
|       <varlistentry>
 | |
|        <term><literal>ldapsearchfilter</literal></term>
 | |
|        <listitem>
 | |
|         <para>
 | |
|          The search filter to use when doing search+bind authentication.
 | |
|          Occurrences of <literal>$username</literal> will be replaced with the
 | |
|          user name.  This allows for more flexible search filters than
 | |
|          <literal>ldapsearchattribute</literal>.
 | |
|         </para>
 | |
|        </listitem>
 | |
|       </varlistentry>
 | |
|      </variablelist>
 | |
|     </para>
 | |
| 
 | |
|     <para>
 | |
|      The following option may be used as an alternative way to write some of the
 | |
|      above LDAP options in a more compact and standard form:
 | |
|      <variablelist>
 | |
|       <varlistentry>
 | |
|        <term><literal>ldapurl</literal></term>
 | |
|        <listitem>
 | |
|         <para>
 | |
|          An <ulink url="https://datatracker.ietf.org/doc/html/rfc4516">RFC 4516</ulink>
 | |
|          LDAP URL.  The format is
 | |
| <synopsis>
 | |
| ldap[s]://<replaceable>host</replaceable>[:<replaceable>port</replaceable>]/<replaceable>basedn</replaceable>[?[<replaceable>attribute</replaceable>][?[<replaceable>scope</replaceable>][?[<replaceable>filter</replaceable>]]]]
 | |
| </synopsis>
 | |
|          <replaceable>scope</replaceable> must be one
 | |
|          of <literal>base</literal>, <literal>one</literal>, <literal>sub</literal>,
 | |
|          typically the last.  (The default is <literal>base</literal>, which
 | |
|          is normally not useful in this application.)  <replaceable>attribute</replaceable> can
 | |
|          nominate a single attribute, in which case it is used as a value for
 | |
|          <literal>ldapsearchattribute</literal>.  If
 | |
|          <replaceable>attribute</replaceable> is empty then
 | |
|          <replaceable>filter</replaceable> can be used as a value for
 | |
|          <literal>ldapsearchfilter</literal>.
 | |
|         </para>
 | |
| 
 | |
|         <para>
 | |
|          The URL scheme <literal>ldaps</literal> chooses the LDAPS method for
 | |
|          making LDAP connections over SSL, equivalent to using
 | |
|          <literal>ldapscheme=ldaps</literal>.  To use encrypted LDAP
 | |
|          connections using the <literal>StartTLS</literal> operation, use the
 | |
|          normal URL scheme <literal>ldap</literal> and specify the
 | |
|          <literal>ldaptls</literal> option in addition to
 | |
|          <literal>ldapurl</literal>.
 | |
|         </para>
 | |
| 
 | |
|         <para>
 | |
|          For non-anonymous binds, <literal>ldapbinddn</literal>
 | |
|          and <literal>ldapbindpasswd</literal> must be specified as separate
 | |
|          options.
 | |
|         </para>
 | |
| 
 | |
|         <para>
 | |
|          LDAP URLs are currently only supported with
 | |
|          <productname>OpenLDAP</productname>, not on Windows.
 | |
|         </para>
 | |
|        </listitem>
 | |
|       </varlistentry>
 | |
|     </variablelist>
 | |
|    </para>
 | |
| 
 | |
|    <para>
 | |
|     It is an error to mix configuration options for simple bind with options
 | |
|     for search+bind.  To use <literal>ldapurl</literal> in simple bind mode, the
 | |
|     URL must not contain a <literal>basedn</literal> or query elements.
 | |
|    </para>
 | |
| 
 | |
|    <para>
 | |
|     When using search+bind mode, the search can be performed using a single
 | |
|     attribute specified with <literal>ldapsearchattribute</literal>, or using
 | |
|     a custom search filter specified with
 | |
|     <literal>ldapsearchfilter</literal>.
 | |
|     Specifying <literal>ldapsearchattribute=foo</literal> is equivalent to
 | |
|     specifying <literal>ldapsearchfilter="(foo=$username)"</literal>.  If neither
 | |
|     option is specified the default is
 | |
|     <literal>ldapsearchattribute=uid</literal>.
 | |
|    </para>
 | |
| 
 | |
|    <para>
 | |
|      If <productname>PostgreSQL</productname> was compiled with
 | |
|      <productname>OpenLDAP</productname> as the LDAP client library, the
 | |
|      <literal>ldapserver</literal> setting may be omitted.  In that case, a
 | |
|      list of host names and ports is looked up via
 | |
|      <ulink url="https://datatracker.ietf.org/doc/html/rfc2782">RFC 2782</ulink> DNS SRV records.
 | |
|      The name <literal>_ldap._tcp.DOMAIN</literal> is looked up, where
 | |
|      <literal>DOMAIN</literal> is extracted from <literal>ldapbasedn</literal>.
 | |
|    </para>
 | |
| 
 | |
|    <para>
 | |
|     Here is an example for a simple-bind LDAP configuration:
 | |
| <programlisting>
 | |
| host ... ldap ldapserver=ldap.example.net ldapprefix="cn=" ldapsuffix=", dc=example, dc=net"
 | |
| </programlisting>
 | |
|     When a connection to the database server as database
 | |
|     user <literal>someuser</literal> is requested, PostgreSQL will attempt to
 | |
|     bind to the LDAP server using the DN <literal>cn=someuser, dc=example,
 | |
|     dc=net</literal> and the password provided by the client.  If that connection
 | |
|     succeeds, the database access is granted.
 | |
|    </para>
 | |
| 
 | |
|    <para>
 | |
|     Here is a different simple-bind configuration, which uses the LDAPS scheme
 | |
|     and a custom port number, written as a URL:
 | |
| <programlisting>
 | |
| host ... ldap ldapurl="ldaps://ldap.example.net:49151" ldapprefix="cn=" ldapsuffix=", dc=example, dc=net"
 | |
| </programlisting>
 | |
|     This is slightly more compact than specifying <literal>ldapserver</literal>,
 | |
|     <literal>ldapscheme</literal>, and <literal>ldapport</literal> separately.
 | |
|    </para>
 | |
| 
 | |
|    <para>
 | |
|     Here is an example for a search+bind configuration:
 | |
| <programlisting>
 | |
| host ... ldap ldapserver=ldap.example.net ldapbasedn="dc=example, dc=net" ldapsearchattribute=uid
 | |
| </programlisting>
 | |
|     When a connection to the database server as database
 | |
|     user <literal>someuser</literal> is requested, PostgreSQL will attempt to
 | |
|     bind anonymously (since <literal>ldapbinddn</literal> was not specified) to
 | |
|     the LDAP server, perform a search for <literal>(uid=someuser)</literal>
 | |
|     under the specified base DN.  If an entry is found, it will then attempt to
 | |
|     bind using that found information and the password supplied by the client.
 | |
|     If that second bind succeeds, the database access is granted.
 | |
|    </para>
 | |
| 
 | |
|    <para>
 | |
|     Here is the same search+bind configuration written as a URL:
 | |
| <programlisting>
 | |
| host ... ldap ldapurl="ldap://ldap.example.net/dc=example,dc=net?uid?sub"
 | |
| </programlisting>
 | |
|     Some other software that supports authentication against LDAP uses the
 | |
|     same URL format, so it will be easier to share the configuration.
 | |
|    </para>
 | |
| 
 | |
|    <para>
 | |
|     Here is an example for a search+bind configuration that uses
 | |
|     <literal>ldapsearchfilter</literal> instead of
 | |
|     <literal>ldapsearchattribute</literal> to allow authentication by
 | |
|     user ID or email address:
 | |
| <programlisting>
 | |
| host ... ldap ldapserver=ldap.example.net ldapbasedn="dc=example, dc=net" ldapsearchfilter="(|(uid=$username)(mail=$username))"
 | |
| </programlisting>
 | |
|    </para>
 | |
| 
 | |
|    <para>
 | |
|     Here is an example for a search+bind configuration that uses DNS SRV
 | |
|     discovery to find the host name(s) and port(s) for the LDAP service for the
 | |
|     domain name <literal>example.net</literal>:
 | |
| <programlisting>
 | |
| host ... ldap ldapbasedn="dc=example,dc=net"
 | |
| </programlisting>
 | |
|    </para>
 | |
| 
 | |
|    <tip>
 | |
|     <para>
 | |
|      Since LDAP often uses commas and spaces to separate the different
 | |
|      parts of a DN, it is often necessary to use double-quoted parameter
 | |
|      values when configuring LDAP options, as shown in the examples.
 | |
|     </para>
 | |
|    </tip>
 | |
| 
 | |
|   </sect1>
 | |
| 
 | |
|   <sect1 id="auth-radius">
 | |
|    <title>RADIUS Authentication</title>
 | |
| 
 | |
|    <indexterm zone="auth-radius">
 | |
|     <primary>RADIUS</primary>
 | |
|    </indexterm>
 | |
| 
 | |
|    <para>
 | |
|     This authentication method operates similarly to
 | |
|     <literal>password</literal> except that it uses RADIUS
 | |
|     as the password verification method. RADIUS is used only to validate
 | |
|     the user name/password pairs. Therefore the user must already
 | |
|     exist in the database before RADIUS can be used for
 | |
|     authentication.
 | |
|    </para>
 | |
| 
 | |
|    <para>
 | |
|     When using RADIUS authentication, an Access Request message will be sent
 | |
|     to the configured RADIUS server. This request will be of type
 | |
|     <literal>Authenticate Only</literal>, and include parameters for
 | |
|     <literal>user name</literal>, <literal>password</literal> (encrypted) and
 | |
|     <literal>NAS Identifier</literal>. The request will be encrypted using
 | |
|     a secret shared with the server. The RADIUS server will respond to
 | |
|     this request with either <literal>Access Accept</literal> or
 | |
|     <literal>Access Reject</literal>. There is no support for RADIUS accounting.
 | |
|    </para>
 | |
| 
 | |
|    <para>
 | |
|     Multiple RADIUS servers can be specified, in which case they will
 | |
|     be tried sequentially. If a negative response is received from
 | |
|     a server, the authentication will fail. If no response is received,
 | |
|     the next server in the list will be tried. To specify multiple
 | |
|     servers, separate the server names with commas and surround the list
 | |
|     with double quotes. If multiple servers are specified, the other
 | |
|     RADIUS options can also be given as comma-separated lists, to provide
 | |
|     individual values for each server. They can also be specified as
 | |
|     a single value, in which case that value will apply to all servers.
 | |
|    </para>
 | |
| 
 | |
|    <para>
 | |
|     The following configuration options are supported for RADIUS:
 | |
|      <variablelist>
 | |
|       <varlistentry>
 | |
|        <term><literal>radiusservers</literal></term>
 | |
|        <listitem>
 | |
|         <para>
 | |
|          The DNS names or IP addresses of the RADIUS servers to connect to.
 | |
|          This parameter is required.
 | |
|         </para>
 | |
|        </listitem>
 | |
|       </varlistentry>
 | |
| 
 | |
|       <varlistentry>
 | |
|        <term><literal>radiussecrets</literal></term>
 | |
|        <listitem>
 | |
|         <para>
 | |
|          The shared secrets used when talking securely to the RADIUS
 | |
|          servers. This must have exactly the same value on the PostgreSQL
 | |
|          and RADIUS servers. It is recommended that this be a string of
 | |
|          at least 16 characters. This parameter is required.
 | |
|          <note>
 | |
|          <para>
 | |
|           The encryption vector used will only be cryptographically
 | |
|           strong if <productname>PostgreSQL</productname> is built with support for
 | |
|           <productname>OpenSSL</productname>. In other cases, the transmission to the
 | |
|           RADIUS server should only be considered obfuscated, not secured, and
 | |
|           external security measures should be applied if necessary.
 | |
|          </para>
 | |
|          </note>
 | |
|         </para>
 | |
|        </listitem>
 | |
|       </varlistentry>
 | |
| 
 | |
|       <varlistentry>
 | |
|        <term><literal>radiusports</literal></term>
 | |
|        <listitem>
 | |
|         <para>
 | |
|          The port numbers to connect to on the RADIUS servers. If no port
 | |
|          is specified, the default RADIUS port (<literal>1812</literal>)
 | |
|          will be used.
 | |
|         </para>
 | |
|        </listitem>
 | |
|       </varlistentry>
 | |
| 
 | |
|       <varlistentry>
 | |
|        <term><literal>radiusidentifiers</literal></term>
 | |
|        <listitem>
 | |
|         <para>
 | |
|          The strings to be used as <literal>NAS Identifier</literal> in the
 | |
|          RADIUS requests. This parameter can be used, for example, to
 | |
|          identify which database cluster the user is attempting to connect
 | |
|          to, which can be useful for policy matching on
 | |
|          the RADIUS server. If no identifier is specified, the default
 | |
|          <literal>postgresql</literal> will be used.
 | |
|         </para>
 | |
|        </listitem>
 | |
|       </varlistentry>
 | |
| 
 | |
|      </variablelist>
 | |
|    </para>
 | |
| 
 | |
|    <para>
 | |
|     If it is necessary to have a comma or whitespace in a RADIUS parameter
 | |
|     value, that can be done by putting double quotes around the value, but
 | |
|     it is tedious because two layers of double-quoting are now required.
 | |
|     An example of putting whitespace into RADIUS secret strings is:
 | |
| <programlisting>
 | |
| host ... radius radiusservers="server1,server2" radiussecrets="""secret one"",""secret two"""
 | |
| </programlisting>
 | |
|    </para>
 | |
|   </sect1>
 | |
| 
 | |
|   <sect1 id="auth-cert">
 | |
|    <title>Certificate Authentication</title>
 | |
| 
 | |
|    <indexterm zone="auth-cert">
 | |
|     <primary>Certificate</primary>
 | |
|    </indexterm>
 | |
| 
 | |
|    <para>
 | |
|     This authentication method uses SSL client certificates to perform
 | |
|     authentication. It is therefore only available for SSL connections;
 | |
|     see <xref linkend="ssl-openssl-config"/> for SSL configuration instructions.
 | |
|     When using this authentication method, the server will require that
 | |
|     the client provide a valid, trusted certificate.  No password prompt
 | |
|     will be sent to the client.  The <literal>cn</literal> (Common Name)
 | |
|     attribute of the certificate
 | |
|     will be compared to the requested database user name, and if they match
 | |
|     the login will be allowed.  User name mapping can be used to allow
 | |
|     <literal>cn</literal> to be different from the database user name.
 | |
|    </para>
 | |
| 
 | |
|    <para>
 | |
|     The following configuration options are supported for SSL certificate
 | |
|     authentication:
 | |
|     <variablelist>
 | |
|      <varlistentry>
 | |
|       <term><literal>map</literal></term>
 | |
|       <listitem>
 | |
|        <para>
 | |
|         Allows for mapping between system and database user names. See
 | |
|         <xref linkend="auth-username-maps"/> for details.
 | |
|        </para>
 | |
|       </listitem>
 | |
|      </varlistentry>
 | |
|     </variablelist>
 | |
|    </para>
 | |
| 
 | |
|    <para>
 | |
|     It is redundant to use the <literal>clientcert</literal> option with
 | |
|     <literal>cert</literal> authentication because <literal>cert</literal>
 | |
|     authentication is effectively <literal>trust</literal> authentication
 | |
|     with <literal>clientcert=verify-full</literal>.
 | |
|    </para>
 | |
|   </sect1>
 | |
| 
 | |
|   <sect1 id="auth-pam">
 | |
|    <title>PAM Authentication</title>
 | |
| 
 | |
|    <indexterm zone="auth-pam">
 | |
|     <primary>PAM</primary>
 | |
|    </indexterm>
 | |
| 
 | |
|    <para>
 | |
|     This authentication method operates similarly to
 | |
|     <literal>password</literal> except that it uses PAM (Pluggable
 | |
|     Authentication Modules) as the authentication mechanism. The
 | |
|     default PAM service name is <literal>postgresql</literal>.
 | |
|     PAM is used only to validate user name/password pairs and optionally the
 | |
|     connected remote host name or IP address. Therefore the user must already
 | |
|     exist in the database before PAM can be used for authentication.  For more
 | |
|     information about PAM, please read the
 | |
|     <ulink url="https://www.kernel.org/pub/linux/libs/pam/">
 | |
|     <productname>Linux-PAM</productname> Page</ulink>.
 | |
|    </para>
 | |
| 
 | |
|    <para>
 | |
|     The following configuration options are supported for PAM:
 | |
|     <variablelist>
 | |
|      <varlistentry>
 | |
|       <term><literal>pamservice</literal></term>
 | |
|       <listitem>
 | |
|        <para>
 | |
|         PAM service name.
 | |
|        </para>
 | |
|       </listitem>
 | |
|      </varlistentry>
 | |
|      <varlistentry>
 | |
|       <term><literal>pam_use_hostname</literal></term>
 | |
|       <listitem>
 | |
|        <para>
 | |
|         Determines whether the remote IP address or the host name is provided
 | |
|         to PAM modules through the <symbol>PAM_RHOST</symbol> item.  By
 | |
|         default, the IP address is used.  Set this option to 1 to use the
 | |
|         resolved host name instead.  Host name resolution can lead to login
 | |
|         delays.  (Most PAM configurations don't use this information, so it is
 | |
|         only necessary to consider this setting if a PAM configuration was
 | |
|         specifically created to make use of it.)
 | |
|        </para>
 | |
|       </listitem>
 | |
|      </varlistentry>
 | |
|     </variablelist>
 | |
|    </para>
 | |
| 
 | |
|    <note>
 | |
|     <para>
 | |
|      If PAM is set up to read <filename>/etc/shadow</filename>, authentication
 | |
|      will fail because the PostgreSQL server is started by a non-root
 | |
|      user.  However, this is not an issue when PAM is configured to use
 | |
|      LDAP or other authentication methods.
 | |
|     </para>
 | |
|    </note>
 | |
|   </sect1>
 | |
| 
 | |
|   <sect1 id="auth-bsd">
 | |
|    <title>BSD Authentication</title>
 | |
| 
 | |
|    <indexterm zone="auth-bsd">
 | |
|     <primary>BSD Authentication</primary>
 | |
|    </indexterm>
 | |
| 
 | |
|    <para>
 | |
|     This authentication method operates similarly to
 | |
|     <literal>password</literal> except that it uses BSD Authentication
 | |
|     to verify the password. BSD Authentication is used only
 | |
|     to validate user name/password pairs. Therefore the user's role must
 | |
|     already exist in the database before BSD Authentication can be used
 | |
|     for authentication. The BSD Authentication framework is currently
 | |
|     only available on OpenBSD.
 | |
|    </para>
 | |
| 
 | |
|    <para>
 | |
|     BSD Authentication in <productname>PostgreSQL</productname> uses
 | |
|     the <literal>auth-postgresql</literal> login type and authenticates with
 | |
|     the <literal>postgresql</literal> login class if that's defined
 | |
|     in <filename>login.conf</filename>. By default that login class does not
 | |
|     exist, and <productname>PostgreSQL</productname> will use the default login class.
 | |
|    </para>
 | |
| 
 | |
|    <note>
 | |
|     <para>
 | |
|      To use BSD Authentication, the PostgreSQL user account (that is, the
 | |
|      operating system user running the server) must first be added to
 | |
|      the <literal>auth</literal> group.  The <literal>auth</literal> group
 | |
|      exists by default on OpenBSD systems.
 | |
|     </para>
 | |
|    </note>
 | |
|   </sect1>
 | |
| 
 | |
|   <sect1 id="auth-oauth">
 | |
|    <title>OAuth Authorization/Authentication</title>
 | |
| 
 | |
|    <indexterm zone="auth-oauth">
 | |
|     <primary>OAuth Authorization/Authentication</primary>
 | |
|    </indexterm>
 | |
| 
 | |
|    <para>
 | |
|     OAuth 2.0 is an industry-standard framework, defined in
 | |
|     <ulink url="https://datatracker.ietf.org/doc/html/rfc6749">RFC 6749</ulink>,
 | |
|     to enable third-party applications to obtain limited access to a protected
 | |
|     resource.
 | |
| 
 | |
|     OAuth client support has to be enabled when <productname>PostgreSQL</productname>
 | |
|     is built, see <xref linkend="installation"/> for more information.
 | |
|    </para>
 | |
| 
 | |
|    <para>
 | |
|     This documentation uses the following terminology when discussing the OAuth
 | |
|     ecosystem:
 | |
| 
 | |
|     <variablelist>
 | |
| 
 | |
|      <varlistentry>
 | |
|       <term>Resource Owner (or End User)</term>
 | |
|       <listitem>
 | |
|        <para>
 | |
|         The user or system who owns protected resources and can grant access to
 | |
|         them. This documentation also uses the term <emphasis>end user</emphasis>
 | |
|         when the resource owner is a person. When you use
 | |
|         <application>psql</application> to connect to the database using OAuth,
 | |
|         you are the resource owner/end user.
 | |
|        </para>
 | |
|       </listitem>
 | |
|      </varlistentry>
 | |
| 
 | |
|      <varlistentry>
 | |
|       <term>Client</term>
 | |
|       <listitem>
 | |
|        <para>
 | |
|         The system which accesses the protected resources using access
 | |
|         tokens. Applications using libpq, such as <application>psql</application>,
 | |
|         are the OAuth clients when connecting to a
 | |
|         <productname>PostgreSQL</productname> cluster.
 | |
|        </para>
 | |
|       </listitem>
 | |
|      </varlistentry>
 | |
| 
 | |
|      <varlistentry>
 | |
|       <term>Resource Server</term>
 | |
|       <listitem>
 | |
|        <para>
 | |
|         The system hosting the protected resources which are
 | |
|         accessed by the client. The <productname>PostgreSQL</productname>
 | |
|         cluster being connected to is the resource server.
 | |
|        </para>
 | |
|       </listitem>
 | |
|      </varlistentry>
 | |
| 
 | |
|      <varlistentry>
 | |
|       <term>Provider</term>
 | |
|       <listitem>
 | |
|        <para>
 | |
|         The organization, product vendor, or other entity which develops and/or
 | |
|         administers the OAuth authorization servers and clients for a given application.
 | |
|         Different providers typically choose different implementation details
 | |
|         for their OAuth systems; a client of one provider is not generally
 | |
|         guaranteed to have access to the servers of another.
 | |
|        </para>
 | |
|        <para>
 | |
|         This use of the term "provider" is not standard, but it seems to be in
 | |
|         wide use colloquially. (It should not be confused with OpenID's similar
 | |
|         term "Identity Provider". While the implementation of OAuth in
 | |
|         <productname>PostgreSQL</productname> is intended to be interoperable
 | |
|         and compatible with OpenID Connect/OIDC, it is not itself an OIDC client
 | |
|         and does not require its use.)
 | |
|        </para>
 | |
|       </listitem>
 | |
|      </varlistentry>
 | |
| 
 | |
|      <varlistentry>
 | |
|       <term>Authorization Server</term>
 | |
|       <listitem>
 | |
|        <para>
 | |
|         The system which receives requests from, and issues access tokens to,
 | |
|         the client after the authenticated resource owner has given approval.
 | |
|         <productname>PostgreSQL</productname> does not provide an authorization
 | |
|         server; it is the responsibility of the OAuth provider.
 | |
|        </para>
 | |
|       </listitem>
 | |
|      </varlistentry>
 | |
| 
 | |
|      <varlistentry>
 | |
|       <term id="auth-oauth-issuer">Issuer</term>
 | |
|       <listitem>
 | |
|        <para>
 | |
|         An identifier for an authorization server, printed as an
 | |
|         <literal>https://</literal> URL, which provides a trusted "namespace"
 | |
|         for OAuth clients and applications. The issuer identifier allows a
 | |
|         single authorization server to talk to the clients of mutually
 | |
|         untrusting entities, as long as they maintain separate issuers.
 | |
|        </para>
 | |
|       </listitem>
 | |
|      </varlistentry>
 | |
| 
 | |
|     </variablelist>
 | |
| 
 | |
|     <note>
 | |
|      <para>
 | |
|       For small deployments, there may not be a meaningful distinction between
 | |
|       the "provider", "authorization server", and "issuer". However, for more
 | |
|       complicated setups, there may be a one-to-many (or many-to-many)
 | |
|       relationship: a provider may rent out multiple issuer identifiers to
 | |
|       separate tenants, then provide multiple authorization servers, possibly
 | |
|       with different supported feature sets, to interact with their clients.
 | |
|      </para>
 | |
|     </note>
 | |
|    </para>
 | |
| 
 | |
|    <para>
 | |
|     <productname>PostgreSQL</productname> supports bearer tokens, defined in
 | |
|     <ulink url="https://datatracker.ietf.org/doc/html/rfc6750">RFC 6750</ulink>,
 | |
|     which are a type of access token used with OAuth 2.0 where the token is an
 | |
|     opaque string.  The format of the access token is implementation specific
 | |
|     and is chosen by each authorization server.
 | |
|    </para>
 | |
| 
 | |
|    <para>
 | |
|     The following configuration options are supported for OAuth:
 | |
|     <variablelist>
 | |
|      <varlistentry>
 | |
|       <term><literal>issuer</literal></term>
 | |
|       <listitem>
 | |
|        <para>
 | |
|         An HTTPS URL which is either the exact
 | |
|         <link linkend="auth-oauth-issuer">issuer identifier</link> of the
 | |
|         authorization server, as defined by its discovery document, or a
 | |
|         well-known URI that points directly to that discovery document. This
 | |
|         parameter is required.
 | |
|        </para>
 | |
|        <para>
 | |
|         When an OAuth client connects to the server, a URL for the discovery
 | |
|         document will be constructed using the issuer identifier. By default,
 | |
|         this URL uses the conventions of OpenID Connect Discovery: the path
 | |
|         <literal>/.well-known/openid-configuration</literal> will be appended
 | |
|         to the end of the issuer identifier. Alternatively, if the
 | |
|         <literal>issuer</literal> contains a <literal>/.well-known/</literal>
 | |
|         path segment, that URL will be provided to the client as-is.
 | |
|        </para>
 | |
|        <warning>
 | |
|         <para>
 | |
|          The OAuth client in libpq requires the server's issuer setting to
 | |
|          exactly match the issuer identifier which is provided in the discovery
 | |
|          document, which must in turn match the client's
 | |
|          <xref linkend="libpq-connect-oauth-issuer"/> setting. No variations in
 | |
|          case or formatting are permitted.
 | |
|         </para>
 | |
|        </warning>
 | |
|       </listitem>
 | |
|      </varlistentry>
 | |
| 
 | |
|      <varlistentry>
 | |
|       <term><literal>scope</literal></term>
 | |
|       <listitem>
 | |
|        <para>
 | |
|         A space-separated list of the OAuth scopes needed for the server to
 | |
|         both authorize the client and authenticate the user.  Appropriate values
 | |
|         are determined by the authorization server and the OAuth validation
 | |
|         module used (see <xref linkend="oauth-validators" /> for more
 | |
|         information on validators).  This parameter is required.
 | |
|        </para>
 | |
|       </listitem>
 | |
|      </varlistentry>
 | |
| 
 | |
|      <varlistentry>
 | |
|       <term><literal>validator</literal></term>
 | |
|       <listitem>
 | |
|        <para>
 | |
|         The library to use for validating bearer tokens. If given, the name must
 | |
|         exactly match one of the libraries listed in
 | |
|         <xref linkend="guc-oauth-validator-libraries" />.  This parameter is
 | |
|         optional unless <literal>oauth_validator_libraries</literal> contains
 | |
|         more than one library, in which case it is required.
 | |
|        </para>
 | |
|       </listitem>
 | |
|      </varlistentry>
 | |
| 
 | |
|      <varlistentry>
 | |
|       <term><literal>map</literal></term>
 | |
|       <listitem>
 | |
|        <para>
 | |
|         Allows for mapping between OAuth identity provider and database user
 | |
|         names.  See <xref linkend="auth-username-maps"/> for details.  If a
 | |
|         map is not specified, the user name associated with the token (as
 | |
|         determined by the OAuth validator) must exactly match the role name
 | |
|         being requested.  This parameter is optional.
 | |
|        </para>
 | |
|       </listitem>
 | |
|      </varlistentry>
 | |
| 
 | |
|      <varlistentry>
 | |
|       <term id="auth-oauth-delegate-ident-mapping" xreflabel="delegate_ident_mapping">
 | |
|        <literal>delegate_ident_mapping</literal>
 | |
|       </term>
 | |
|       <listitem>
 | |
|        <para>
 | |
|         An advanced option which is not intended for common use.
 | |
|        </para>
 | |
|        <para>
 | |
|         When set to <literal>1</literal>, standard user mapping with
 | |
|         <filename>pg_ident.conf</filename> is skipped, and the OAuth validator
 | |
|         takes full responsibility for mapping end user identities to database
 | |
|         roles.  If the validator authorizes the token, the server trusts that
 | |
|         the user is allowed to connect under the requested role, and the
 | |
|         connection is allowed to proceed regardless of the authentication
 | |
|         status of the user.
 | |
|        </para>
 | |
|        <para>
 | |
|         This parameter is incompatible with <literal>map</literal>.
 | |
|        </para>
 | |
|        <warning>
 | |
|         <para>
 | |
|          <literal>delegate_ident_mapping</literal> provides additional
 | |
|          flexibility in the design of the authentication system, but it also
 | |
|          requires careful implementation of the OAuth validator, which must
 | |
|          determine whether the provided token carries sufficient end-user
 | |
|          privileges in addition to the <link linkend="oauth-validators">standard
 | |
|          checks</link> required of all validators.  Use with caution.
 | |
|         </para>
 | |
|        </warning>
 | |
|       </listitem>
 | |
|      </varlistentry>
 | |
|     </variablelist>
 | |
|    </para>
 | |
|   </sect1>
 | |
| 
 | |
|   <sect1 id="client-authentication-problems">
 | |
|    <title>Authentication Problems</title>
 | |
| 
 | |
|    <para>
 | |
|     Authentication failures and related problems generally
 | |
|     manifest themselves through error messages like the following:
 | |
|    </para>
 | |
| 
 | |
|    <para>
 | |
| <programlisting>
 | |
| FATAL:  no pg_hba.conf entry for host "123.123.123.123", user "andym", database "testdb"
 | |
| </programlisting>
 | |
|     This is what you are most likely to get if you succeed in contacting
 | |
|     the server, but it does not want to talk to you. As the message
 | |
|     suggests, the server refused the connection request because it found
 | |
|     no matching entry in its <filename>pg_hba.conf</filename>
 | |
|     configuration file.
 | |
|    </para>
 | |
| 
 | |
|    <para>
 | |
| <programlisting>
 | |
| FATAL:  password authentication failed for user "andym"
 | |
| </programlisting>
 | |
|     Messages like this indicate that you contacted the server, and it is
 | |
|     willing to talk to you, but not until you pass the authorization
 | |
|     method specified in the <filename>pg_hba.conf</filename> file. Check
 | |
|     the password you are providing, or check your Kerberos or ident
 | |
|     software if the complaint mentions one of those authentication
 | |
|     types.
 | |
|    </para>
 | |
| 
 | |
|    <para>
 | |
| <programlisting>
 | |
| FATAL:  user "andym" does not exist
 | |
| </programlisting>
 | |
|     The indicated database user name was not found.
 | |
|    </para>
 | |
| 
 | |
|    <para>
 | |
| <programlisting>
 | |
| FATAL:  database "testdb" does not exist
 | |
| </programlisting>
 | |
|     The database you are trying to connect to does not exist. Note that
 | |
|     if you do not specify a database name, it defaults to the database
 | |
|     user name.
 | |
|    </para>
 | |
| 
 | |
|    <tip>
 | |
|    <para>
 | |
|     The server log might contain more information about an
 | |
|     authentication failure than is reported to the client. If you are
 | |
|     confused about the reason for a failure, check the server log.
 | |
|    </para>
 | |
|    </tip>
 | |
|   </sect1>
 | |
| 
 | |
|  </chapter>
 |