<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.89 2006/04/30 21:15:32 tgl Exp $ -->

<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.90 2006/06/1615:16:16 momjian Exp $ -->

<chapter id="client-authentication">

<title>Client Authentication</title>

</listitem>

</varlistentry>

<varlistentry>

<term><literal>ldap</></term>

<listitem>

<para>

Authenticate using LDAP to a central server. See <xref

linkend="auth-ldap"> for details.

</para>

</listitem>

</varlistentry>

<varlistentry>

<term><literal>pam</></term>

<listitem>

</sect3>

</sect2>

<sect2 id="auth-ldap">

<title>LDAP authentication</title>

<indexterm zone="auth-ldap">

<primary>LDAP</primary>

</indexterm>

<para>

This authentication method operates similarly to

<literal>password</literal> except that it uses LDAP

as the authentication method. LDAP is used only to validate

the user name/password pairs. Therefore the user must already

exist in the database before LDAP can be used for

authentication. The server and parameters used are specified

after the <literal>ldap</> key word in the file

<filename>pg_hba.conf</filename>. The format of this parameter is:

<synopsis>

ldap[<replaceable>s</>]://<replaceable>servername</>[:<replaceable>port</>]/<replaceable>base dn</replaceable>[;<replaceable>prefix</>[;<replaceable>suffix</>]]

</synopsis>

for example:

<synopsis>

ldap://ldap.example.net/dc=example,dc=net;EXAMPLE\

</synopsis>

</para>

<para>

If <literal>ldaps</> is specified instead of <literal>ldap</>,

TLS encryption will be enabled for the connection. Note that this

will encrypt only the connection between the PostgreSQL server

and the LDAP server. The connection between the client and the

PostgreSQL server is not affected by this setting. To make use of

TLS encryption, you may need to configure the LDAP library prior

to configuring PostgreSQL.

</para>

<para>

If no port is specified, the default port as configured in the

LDAP library will be used.

</para>

<para>

The server will bind to the distinguished name specified as

<replaceable>base dn</> using the username supplied by the client.

If <replaceable>prefix</> and <replaceable>suffix</> is

specified, it will be prepended and appended to the username

before the bind. Typically, the prefix parameter is used to specify

<replaceable>cn=</>, or <replaceable>DOMAIN\</> in an Active

Directory environment.

</para>

</sect2>

<sect2 id="auth-pam">

<title>PAM authentication</title>

<!-- $PostgreSQL: pgsql/doc/src/sgml/installation.sgml,v 1.256 2006/04/25 15:19:16 momjian Exp $ -->

<!-- $PostgreSQL: pgsql/doc/src/sgml/installation.sgml,v 1.257 2006/06/16 15:16:16 momjian Exp $ -->

<chapter id="installation">

<title><![%standalone-include[<productname>PostgreSQL</>]]>

<listitem>

<para>

<application>Kerberos</>, <productname>OpenSSL</>, and/or

<application>Kerberos</>, <productname>OpenSSL</>,

<productname>OpenLDAP</>, and/or

<application>PAM</>, if you want to support authentication or

encryption using these services.

</para>

</listitem>

</varlistentry>

<varlistentry>

<term><option>--with-ldap</option></term>

<listitem>

<para>

Build with <acronym>LDAP</><indexterm><primary>LDAP</></>

authentication support. On Unix, this requires the

<productname>OpenLDAP</> package to be installed.

<filename>configure</> will check for the required header files

and libraries to make sure that your <productname>OpenLDAP</>

installation is sufficient before proceeding. On Windows,

the default <productname>WinLDAP</> library is used.

</para>

</listitem>

</varlistentry>

<varlistentry>

<term><option>--with-libedit-preferred</option></term>

<listitem>