Movatterモバイル変換


[0]ホーム

URL:


Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Sign up
Appearance settings

Commitb4c315b

Browse files
committed
Revise locale and Kerberos documentation
1 parent3eec6ee commitb4c315b

File tree

4 files changed

+199
-335
lines changed

4 files changed

+199
-335
lines changed

‎doc/README.kerberos

Lines changed: 0 additions & 31 deletions
This file was deleted.

‎doc/src/sgml/client-auth.sgml

Lines changed: 79 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
<!-- $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.2 2000/07/04 16:31:51 petere Exp $ -->
1+
<!-- $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.3 2000/07/15 21:35:47 petere Exp $ -->
22

33
<chapter id="client-authentication">
44
<title>Client Authentication</title>
@@ -295,7 +295,8 @@ host all 192.168.2.0 255.255.255.0 ident othermap
295295
file after the <literal>password</> or <literal>crypt</> keyword,
296296
respectively, in <filename>pg_hba.conf</>. If you do not use this
297297
feature, then any user that is known to the database system can
298-
connect (as long as he passes password authentication, of course).
298+
connect to any database (as long as he passes password
299+
authentication, of course).
299300
</para>
300301

301302
<para>
@@ -316,7 +317,7 @@ host all 192.168.2.0 255.255.255.0 ident othermap
316317

317318
<para>
318319
Lines with and without passwords can be mixed in secondary
319-
password files. Lines without password indicate use the main
320+
password files. Lines without password indicate useofthe main
320321
password in <literal>pg_shadow</> that is managed by
321322
<command>CREATE USER</> and <command>ALTER USER</>. Lines with
322323
passwords will cause that password to be used. A password entry of
@@ -348,14 +349,20 @@ host all 192.168.2.0 255.255.255.0 ident othermap
348349
authentication system suitable for distributed computing over a
349350
public network. A description of the
350351
<productname>Kerberos</productname> system is far beyond the scope
351-
of this document; in all generality it can be quite complex. The
352-
<ulink url="http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html">Kerberos <acronym>FAQ</></ulink>
353-
can be a good starting point for exploration.
352+
of this document; in all generality it can be quite complex (yet
353+
powerful). The <ulink
354+
url="http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html">Kerberos
355+
<acronym>FAQ</></ulink> or <ulink
356+
url="ftp://athena-dist.mit.edu">MIT Project Athena</ulink> can be
357+
a good starting point for exploration. Several sources for
358+
<productname>Kerberos</> distributions exist.
354359
</para>
355360

356361
<para>
357362
In order to use <productname>Kerberos</>, support for it must be
358-
enable at build time. Both Kerberos 4 and 5 are supported.
363+
enable at build time. Both Kerberos 4 and 5 are supported
364+
(<literal>./configure --with-krb4</> or <literal>./configure
365+
--with-krb5</> respectively).
359366
</para>
360367

361368
<para>
@@ -365,14 +372,74 @@ host all 192.168.2.0 255.255.255.0 ident othermap
365372
build. Make sure that your server keytab file is readable (and
366373
preferrably only readable) by the Postgres server account (see
367374
<xref linkend="postgres-user">). The location of the keytab file
368-
is specified at build time. By default it is
375+
is specified at build time; by default it is
369376
<filename>/etc/srvtab</filename> in Kerberos 4 and
370-
<filename>FILE:/usr/local/postgres/krb5.keytab</filename> in
377+
<filename>FILE:/usr/local/pgsql/etc/krb5.keytab</filename> in
371378
Kerberos 5.
372379
</para>
373-
<!-- Note from Peter E.: Some of the Kerberos usage information is
374-
still in config.sgml and some in doc/README.kerberos. It should be
375-
integrated here. -->
380+
381+
<para>
382+
To generate the keytab file, use for example (with version 5)
383+
<screen>
384+
kadmin% <userinput>ank -randkey postgres/server.my.domain.org</>
385+
kadmin% <userinput>ktadd -k krb5.keytab postgres/server.my.domain.org</>
386+
</screen>
387+
Read the <productname>Kerberos</> documentation for defails.
388+
</para>
389+
390+
<para>
391+
In the <productname>Kerberos</> 5 hooks, the following assumptions
392+
are made about user and service naming:
393+
394+
<itemizedlist>
395+
<listitem>
396+
<para>
397+
User principal names (anames) are assumed to contain the actual
398+
Unix/<productname>Postgres</> user name in the first component.
399+
</para>
400+
</listitem>
401+
<listitem>
402+
<para>
403+
The <productname>Postgres</> service is assumed to be have two
404+
components, the service name and a hostname, canonicalized as
405+
in Version 4 (i.e., with all domain suffixes removed).
406+
</para>
407+
</listitem>
408+
</itemizedlist>
409+
410+
<informaltable>
411+
<tgroup cols="2">
412+
<thead>
413+
<row>
414+
<entry>Parameter</>
415+
<entry>Example</>
416+
</row>
417+
</thead>
418+
<tbody>
419+
<row>
420+
<entry>user</>
421+
<entry>frew@S2K.ORG</>
422+
</row>
423+
<row>
424+
<entry>user</>
425+
<entry>aoki/HOST=miyu.S2K.Berkeley.EDU@S2K.ORG</>
426+
</row>
427+
<row>
428+
<entry>host</>
429+
<entry>postgres_dbms/ucbvax@S2K.ORG</>
430+
</row>
431+
</tbody>
432+
</tgroup>
433+
</informaltable>
434+
</para>
435+
436+
<para>
437+
If you use mod_auth_krb and mod_perl on your Apache web server,
438+
you can use AuthType KerberosV5SaveCredentials with a mod_perl
439+
script. This gives secure database access over the web, no extra
440+
passwords required.
441+
</para>
442+
376443
</sect2>
377444

378445
<sect2>

0 commit comments

Comments
 (0)

[8]ページ先頭

©2009-2025 Movatter.jp