Skip to content

P
Postgres FD Implementation
Commit 36db18ea authored by Tom Lane's avatar Tom Lane
Browse files
Options

Docs: minor copy-editing for GSSAPI/SSPI authentication docs. 

Describe compat_realm = 0 as "disabled" not "enabled", per discussion
with Christian Ullrich.  I failed to resist the temptation to do some
other minor copy-editing in the same area.
parent 6e243c43
Show whitespace changes
Inline Side-by-side
Showing with 20 additions and 15 deletions
doc/src/sgml/client-auth.sgml
View file @ 36db18ea
...@@ -970,17 +970,18 @@ omicron bryanh guest1 ...@@ -970,17 +970,18 @@ omicron bryanh guest1
strongly discouraged as it is then impossible to distinguish different users strongly discouraged as it is then impossible to distinguish different users
with the same user name but coming from different realms. To enable this, with the same user name but coming from different realms. To enable this,
set <literal>include_realm</> to 0. For simple single-realm set <literal>include_realm</> to 0. For simple single-realm
installations, <literal>include_realm</> combined with the installations, doing that combined with setting the
<literal>krb_realm</> parameter (which checks that the realm provided <literal>krb_realm</> parameter (which checks that the principal's realm
matches exactly what is in the <literal>krb_realm</literal> parameter) would be a secure but matches exactly what is in the <literal>krb_realm</literal> parameter)
less capable option compared to specifying an explicit mapping in is still secure; but this is a
less capable approach compared to specifying an explicit mapping in
<filename>pg_ident.conf</>. <filename>pg_ident.conf</>.
</para> </para>
<para> <para>
Make sure that your server keytab file is readable (and preferably Make sure that your server keytab file is readable (and preferably
only readable) by the <productname>PostgreSQL</productname> server only readable, not writable) by the <productname>PostgreSQL</productname>
account. (See also <xref linkend="postgres-user">.) The location server account. (See also <xref linkend="postgres-user">.) The location
of the key file is specified by the <xref of the key file is specified by the <xref
linkend="guc-krb-server-keyfile"> configuration linkend="guc-krb-server-keyfile"> configuration
parameter. The default is parameter. The default is
...@@ -1019,10 +1020,12 @@ omicron bryanh guest1 ...@@ -1019,10 +1020,12 @@ omicron bryanh guest1
If set to 0, the realm name from the authenticated user principal is If set to 0, the realm name from the authenticated user principal is
stripped off before being passed through the user name mapping stripped off before being passed through the user name mapping
(<xref linkend="auth-username-maps">). This is discouraged and is (<xref linkend="auth-username-maps">). This is discouraged and is
primarily available for backwards compatibility as it is not secure primarily available for backwards compatibility, as it is not secure
in multi-realm environments unless <literal>krb_realm</literal> is also used. Users in multi-realm environments unless <literal>krb_realm</literal> is
are recommended to leave include_realm set to the default (1) and to also used. It is recommended to
provide an explicit mapping in <filename>pg_ident.conf</>. leave <literal>include_realm</literal> set to the default (1) and to
provide an explicit mapping in <filename>pg_ident.conf</> to convert
principal names to <productname>PostgreSQL</> user names.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
...@@ -1098,10 +1101,12 @@ omicron bryanh guest1 ...@@ -1098,10 +1101,12 @@ omicron bryanh guest1
If set to 0, the realm name from the authenticated user principal is If set to 0, the realm name from the authenticated user principal is
stripped off before being passed through the user name mapping stripped off before being passed through the user name mapping
(<xref linkend="auth-username-maps">). This is discouraged and is (<xref linkend="auth-username-maps">). This is discouraged and is
primarily available for backwards compatibility as it is not secure primarily available for backwards compatibility, as it is not secure
in multi-realm environments unless <literal>krb_realm</literal> is also used. Users in multi-realm environments unless <literal>krb_realm</literal> is
are recommended to leave include_realm set to the default (1) and to also used. It is recommended to
provide an explicit mapping in <filename>pg_ident.conf</>. leave <literal>include_realm</literal> set to the default (1) and to
provide an explicit mapping in <filename>pg_ident.conf</> to convert
principal names to <productname>PostgreSQL</> user names.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
...@@ -1116,7 +1121,7 @@ omicron bryanh guest1 ...@@ -1116,7 +1121,7 @@ omicron bryanh guest1
the Kerberos user principal name is used. the Kerberos user principal name is used.
</para> </para>
<para> <para>
Do not enable this option unless your server runs under a domain Do not disable this option unless your server runs under a domain
account (this includes virtual service accounts on a domain member account (this includes virtual service accounts on a domain member
system) and all clients authenticating through SSPI are also using system) and all clients authenticating through SSPI are also using
domain accounts, or authentication will fail. domain accounts, or authentication will fail.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment