|
1 | | -<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.127 2010/01/26 06:45:31 petere Exp $ --> |
| 1 | +<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.128 2010/01/27 12:11:59 mha Exp $ --> |
2 | 2 |
|
3 | 3 | <chapter id="client-authentication"> |
4 | 4 | <title>Client Authentication</title> |
@@ -394,6 +394,16 @@ hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable> |
394 | 394 | </listitem> |
395 | 395 | </varlistentry> |
396 | 396 |
|
| 397 | + <varlistentry> |
| 398 | + <term><literal>radius</></term> |
| 399 | + <listitem> |
| 400 | + <para> |
| 401 | + Authenticate using a RADIUS server. See <xref |
| 402 | + linkend="auth-radius"> for detauls. |
| 403 | + </para> |
| 404 | + </listitem> |
| 405 | + </varlistentry> |
| 406 | + |
397 | 407 | <varlistentry> |
398 | 408 | <term><literal>cert</></term> |
399 | 409 | <listitem> |
@@ -1331,6 +1341,95 @@ ldapserver=ldap.example.net ldapprefix="cn=" ldapsuffix=", dc=example, dc=net" |
1331 | 1341 |
|
1332 | 1342 | </sect2> |
1333 | 1343 |
|
| 1344 | + <sect2 id="auth-radius"> |
| 1345 | + <title>RADIUS authentication</title> |
| 1346 | + |
| 1347 | + <indexterm zone="auth-radius"> |
| 1348 | + <primary>RADIUS</primary> |
| 1349 | + </indexterm> |
| 1350 | + |
| 1351 | + <para> |
| 1352 | + This authentication method operates similarly to |
| 1353 | + <literal>password</literal> except that it uses RADIUS |
| 1354 | + as the password verification method. RADIUS is used only to validate |
| 1355 | + the user name/password pairs. Therefore the user must already |
| 1356 | + exist in the database before RADIUS can be used for |
| 1357 | + authentication. |
| 1358 | + </para> |
| 1359 | + |
| 1360 | + <para> |
| 1361 | + When using RADIUS authentication, an Access Request message will be sent |
| 1362 | + to the configured RADIUS server. This request will be of type |
| 1363 | + <literal>Authenticate Only</literal>, and include parameters for |
| 1364 | + <literal>user name</>, <literal>password</> (encrypted) and |
| 1365 | + <literal>NAS Identifier</>. The request will be encrypted using |
| 1366 | + a secret shared with the server. The RADIUS server will respond to |
| 1367 | + this server with either <literal>Access Accept</> or |
| 1368 | + <literal>Access Reject</>. There is no support for RADIUS accounting. |
| 1369 | + </para> |
| 1370 | + |
| 1371 | + <para> |
| 1372 | + The following configuration options are supported for RADIUS: |
| 1373 | + <variablelist> |
| 1374 | + <varlistentry> |
| 1375 | + <term><literal>radiusserver</literal></term> |
| 1376 | + <listitem> |
| 1377 | + <para> |
| 1378 | + The IP address of the RADIUS server to connect to. This must |
| 1379 | + be an IPV4 address and not a hostname. This parameter is required. |
| 1380 | + </para> |
| 1381 | + </listitem> |
| 1382 | + </varlistentry> |
| 1383 | + |
| 1384 | + <varlistentry> |
| 1385 | + <term><literal>radiussecret</literal></term> |
| 1386 | + <listitem> |
| 1387 | + <para> |
| 1388 | + The shared secret used when talking securely to the RADIUS |
| 1389 | + server. This must have exactly the same value on the PostgreSQL |
| 1390 | + and RADIUS servers. It is recommended that this is a string of |
| 1391 | + at least 16 characters. This parameter is required. |
| 1392 | + <note> |
| 1393 | + <para> |
| 1394 | + The encryption vector used will only be cryptographically |
| 1395 | + strong if <productname>PostgreSQL</> is built with support for |
| 1396 | + <productname>OpenSSL</>. In other cases, the transmission to the |
| 1397 | + RADIUS server should only be considered obfuscated, not secured, and |
| 1398 | + external security measures should be applied if necessary. |
| 1399 | + </para> |
| 1400 | + </note> |
| 1401 | + </para> |
| 1402 | + </listitem> |
| 1403 | + </varlistentry> |
| 1404 | + |
| 1405 | + <varlistentry> |
| 1406 | + <term><literal>radiusport</literal></term> |
| 1407 | + <listitem> |
| 1408 | + <para> |
| 1409 | + The port number on the RADIUS server to connect to. If no port |
| 1410 | + is specified, the default port <literal>1812</> will be used. |
| 1411 | + </para> |
| 1412 | + </listitem> |
| 1413 | + </varlistentry> |
| 1414 | + |
| 1415 | + <varlistentry> |
| 1416 | + <term><literal>radiusidentifier</literal></term> |
| 1417 | + <listitem> |
| 1418 | + <para> |
| 1419 | + The string used as <literal>NAS Identifier</> in the RADIUS |
| 1420 | + requests. This parameter can be used as a second parameter |
| 1421 | + identifying for example which database the user is attempting |
| 1422 | + to authenticate as, which can be used for policy matching on |
| 1423 | + the RADIUS server. If no identifier is specified, the default |
| 1424 | + <literal>postgresql</> will be used. |
| 1425 | + </para> |
| 1426 | + </listitem> |
| 1427 | + </varlistentry> |
| 1428 | + |
| 1429 | + </variablelist> |
| 1430 | + </para> |
| 1431 | + </sect2> |
| 1432 | + |
1334 | 1433 | <sect2 id="auth-cert"> |
1335 | 1434 | <title>Certificate authentication</title> |
1336 | 1435 |
|
|