<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.117 2009/01/0713:09:21 mha Exp $ -->

<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.118 2009/01/09 10:13:18 mha Exp $ -->

<chapter id="client-authentication">

<title>Client Authentication</title>

<term>krb_realm</term>

<listitem>

<para>

Overrides the <xref linkend="guc-krb-realm"> parameter, setting which realm

to verify the authenticated user principal against.

</para>

</listitem>

</varlistentry>

<varlistentry>

<term>krb_server_hostname</term>

<listitem>

<para>

Overrides the <xref linkend="guc-krb-server-hostname"> parameter, setting which

hostname will be used for the server principal when using Kerberos.

Sets the realm to match user principal names against. If this parameter

is not set, the realm of the user will be ignored.

</para>

</listitem>

</varlistentry>

<term>krb_realm</term>

<listitem>

<para>

Overrides the<xref linkend="guc-krb-realm"> parameter, setting which realm

to verifytheauthenticateduserprincipal against.

Sets the realm to match user principal names against. If this parameter

is not set,therealm of theuserwill be ignored.

</para>

</listitem>

</varlistentry>

<literal>pgusername@realm</>. By default, the realm of the client is

not checked by <productname>PostgreSQL</>. If you have cross-realm

authentication enabled and need to verify the realm, use the

<xref linkend="guc-krb-realm">parameter.

krb_realmparameter in <filename>pg_hba.conf</>.

</para>

<para>

database access over the web, no extra passwords required.

</para>

<para>

The following configuration options are supported for <productname>Kerberos</productname>:

<variablelist>

<varlistentry>

<term>map</term>

<listitem>

<para>

Allows for mapping between system and database usernames. See

<xref linkend="auth-username-maps"> for details.

</para>

</listitem>

</varlistentry>

<varlistentry>

<term>include_realm</term>

<listitem>

<para>

Include the realm name from the authenticated user principal. This is useful

in combination with Username maps (See <xref linkend="auth-username-maps">

for details), especially with regular expressions, to map users from

multiple realms.

</para>

</listitem>

</varlistentry>

<varlistentry>

<term>krb_realm</term>

<listitem>

<para>

Sets the realm to match user principal names against. If this parameter

is not set, the realm of the user will be ignored.

</para>

</listitem>

</varlistentry>

<varlistentry>

<term>krb_server_hostname</term>

<listitem>

<para>

Sets the host name part of the service principal.

This, combined with <varname>krb_srvname</>, is used to generate

the complete service principal, that is

<varname>krb_srvname</><literal>/</><varname>krb_server_hostname</><literal>@</>REALM.

If not set, the default is the server host name.

</para>

</listitem>

</varlistentry>

</variablelist>

</para>

</sect2>

<sect2 id="auth-ident">

<!-- $PostgreSQL: pgsql/doc/src/sgml/config.sgml,v 1.203 2009/01/07 22:40:48 tgl Exp $ -->

<!-- $PostgreSQL: pgsql/doc/src/sgml/config.sgml,v 1.204 2009/01/09 10:13:18 mha Exp $ -->

<chapter Id="runtime-config">

<title>Server Configuration</title>

</listitem>

</varlistentry>

<varlistentry id="guc-krb-realm" xreflabel="krb_realm">

<term><varname>krb_realm</varname> (<type>string</type>)</term>

<indexterm>

<primary><varname>krb_realm</> configuration parameter</primary>

</indexterm>

<listitem>

<para>

Sets the realm to match Kerberos, GSSAPI and SSPI user names against.

See <xref linkend="kerberos-auth">, <xref linkend="gssapi-auth"> or

<xref linkend="sspi-auth"> for details. This parameter can only be

set in the <filename>postgresql.conf</> file or on the server

command line.

</para>

</listitem>

</varlistentry>

<varlistentry id="guc-krb-server-keyfile" xreflabel="krb_server_keyfile">

<term><varname>krb_server_keyfile</varname> (<type>string</type>)</term>

<indexterm>

</listitem>

</varlistentry>

<varlistentry id="guc-krb-server-hostname" xreflabel="krb_server_hostname">

<term><varname>krb_server_hostname</varname> (<type>string</type>)</term>

<indexterm>

<primary><varname>krb_server_hostname</> configuration parameter</primary>

</indexterm>

<listitem>

<para>

Sets the host name part of the service principal.

This, combined with <varname>krb_srvname</>, is used to generate

the complete service principal, that is

<varname>krb_srvname</><literal>/</><varname>krb_server_hostname</><literal>@</>REALM.

If not set, the default is the server host name. See <xref linkend="kerberos-auth">

for details. This parameter can only be set in the <filename>postgresql.conf</>

file or on the server command line.

</para>

</listitem>

</varlistentry>

<varlistentry id="guc-krb-caseins-users" xreflabel="krb_caseins_users">

<term><varname>krb_caseins_users</varname> (<type>boolean</type>)</term>

<indexterm>

char*pg_krb_server_keyfile;

char*pg_krb_srvnam;

boolpg_krb_caseins_users;

char*pg_krb_server_hostname=NULL;

char*pg_krb_realm=NULL;

if (port->hba->krb_server_hostname)

khostname=port->hba->krb_server_hostname;

khostname=pg_krb_server_hostname;

khostname=port->hba->krb_server_hostname;

if (khostname&&khostname[0]=='\0')

khostname=NULL;

krb5_ticket*ticket;

char*kusername;

char*cp;

char*realmmatch;

if (get_role_line(port->user_name)==NULL)

returnSTATUS_ERROR;

returnSTATUS_ERROR;

}

if (port->hba->krb_realm)

realmmatch=port->hba->krb_realm;

realmmatch=pg_krb_realm;

cp=strchr(kusername,'@');

if (cp)

{

*cp='\0';

cp++;

if (realmmatch!=NULL&&strlen(realmmatch))

if (port->hba->krb_realm!=NULL&&strlen(port->hba->krb_realm))

{

if (pg_krb_caseins_users)

ret=pg_strcasecmp(realmmatch,cp);

ret=pg_strcasecmp(port->hba->krb_realm,cp);

ret=strcmp(realmmatch,cp);

ret=strcmp(port->hba->krb_realm,cp);

if (ret)

{

elog(DEBUG2,

"krb5 realm (%s) and configured realm (%s) don't match",

cp,realmmatch);

cp,port->hba->krb_realm);

krb5_free_ticket(pg_krb5_context,ticket);

krb5_auth_con_free(pg_krb5_context,auth_context);

returnSTATUS_ERROR;

}

}

}

elseif (realmmatch&&strlen(realmmatch))

elseif (port->hba->krb_realm&&strlen(port->hba->krb_realm))

{

elog(DEBUG2,

"krb5 did not return realm but realm matching was requested");

intret;

StringInfoDatabuf;

gss_buffer_descgbuf;

char*realmmatch;

gettext_noop("retrieving GSS user name failed"),

maj_stat,min_stat);

if (port->hba->krb_realm)

realmmatch=port->hba->krb_realm;

realmmatch=pg_krb_realm;

*cp='\0';

cp++;

if (realmmatch!=NULL&&strlen(realmmatch))

if (port->hba->krb_realm!=NULL&&strlen(port->hba->krb_realm))

{

if (pg_krb_caseins_users)

ret=pg_strcasecmp(realmmatch,cp);

ret=pg_strcasecmp(port->hba->krb_realm,cp);

ret=strcmp(realmmatch,cp);

ret=strcmp(port->hba->krb_realm,cp);

if (ret)

{

elog(DEBUG2,

"GSSAPI realm (%s) and configured realm (%s) don't match",

cp,realmmatch);

cp,port->hba->krb_realm);

gss_release_buffer(&lmin_s,&gbuf);

returnSTATUS_ERROR;

}

}

}

elseif (realmmatch&&strlen(realmmatch))

elseif (port->hba->krb_realm&&strlen(port->hba->krb_realm))

{

elog(DEBUG2,

"GSSAPI did not return realm but realm matching was requested");

SID_NAME_USEaccountnameuse;

HMODULEsecur32;

QUERY_SECURITY_CONTEXT_TOKEN_FN_QuerySecurityContextToken;

char*realmmatch;

if (port->hba->krb_realm)

realmmatch=port->hba->krb_realm;

realmmatch=pg_krb_realm;

if (realmmatch&&strlen(realmmatch))

if (port->hba->krb_realm&&strlen(port->hba->krb_realm))

{

if (pg_strcasecmp(realmmatch,domainname))

if (pg_strcasecmp(port->hba->krb_realm,domainname))

{

elog(DEBUG2,

"SSPI domain (%s) and configured domain (%s) don't match",

domainname,realmmatch);

domainname,port->hba->krb_realm);

returnSTATUS_ERROR;

}

"$libdir",NULL,NULL

},

{

{"krb_realm",PGC_SIGHUP,CONN_AUTH_SECURITY,

gettext_noop("Sets realm to match Kerberos and GSSAPI users against."),

NULL,

},

&pg_krb_realm,

NULL,NULL,NULL

},

{

{"krb_server_keyfile",PGC_SIGHUP,CONN_AUTH_SECURITY,

gettext_noop("Sets the location of the Kerberos server key file."),

PG_KRB_SRVNAM,NULL,NULL

},

{

{"krb_server_hostname",PGC_SIGHUP,CONN_AUTH_SECURITY,

gettext_noop("Sets the hostname of the Kerberos server."),

},

&pg_krb_server_hostname,

NULL,NULL,NULL

},

{

{"bonjour_name",PGC_POSTMASTER,CONN_AUTH_SETTINGS,

gettext_noop("Sets the Bonjour broadcast service name."),

# Kerberos and GSSAPI

#krb_server_keyfile = ''

#krb_srvname = 'postgres'# (Kerberos only)

#krb_server_hostname = ''# empty string matches any keytab entry

# (Kerberos only)

#krb_caseins_users = off

#krb_realm = ''

# - TCP Keepalives -

# see "man 7 tcp" for details