path: root/doc/src/sgml/html/sspi-auth.html
diff options
Diffstat (limited to 'doc/src/sgml/html/sspi-auth.html')
1 files changed, 68 insertions, 0 deletions
diff --git a/doc/src/sgml/html/sspi-auth.html b/doc/src/sgml/html/sspi-auth.html
new file mode 100644
index 0000000..398251b
--- /dev/null
+++ b/doc/src/sgml/html/sspi-auth.html
@@ -0,0 +1,68 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" ""><html xmlns=""><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>20.7. SSPI Authentication</title><link rel="stylesheet" type="text/css" href="stylesheet.css" /><link rev="made" href="" /><meta name="generator" content="DocBook XSL Stylesheets V1.79.1" /><link rel="prev" href="gssapi-auth.html" title="20.6. GSSAPI Authentication" /><link rel="next" href="auth-ident.html" title="20.8. Ident Authentication" /></head><body><div xmlns="" class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="5" align="center">20.7. SSPI Authentication</th></tr><tr><td width="10%" align="left"><a accesskey="p" href="gssapi-auth.html" title="20.6. GSSAPI Authentication">Prev</a> </td><td width="10%" align="left"><a accesskey="u" href="client-authentication.html" title="Chapter 20. Client Authentication">Up</a></td><th width="60%" align="center">Chapter 20. Client Authentication</th><td width="10%" align="right"><a accesskey="h" href="index.html" title="PostgreSQL 12.0 Documentation">Home</a></td><td width="10%" align="right"> <a accesskey="n" href="auth-ident.html" title="20.8. Ident Authentication">Next</a></td></tr></table><hr></hr></div><div class="sect1" id="SSPI-AUTH"><div class="titlepage"><div><div><h2 class="title" style="clear: both">20.7. SSPI Authentication</h2></div></div></div><a id="id-" class="indexterm"></a><p>
+ <span class="productname">SSPI</span> is a <span class="productname">Windows</span>
+ technology for secure authentication with single sign-on.
+ <span class="productname">PostgreSQL</span> will use SSPI in
+ <code class="literal">negotiate</code> mode, which will use
+ <span class="productname">Kerberos</span> when possible and automatically
+ fall back to <span class="productname">NTLM</span> in other cases.
+ <span class="productname">SSPI</span> authentication only works when both
+ server and client are running <span class="productname">Windows</span>,
+ or, on non-Windows platforms, when <span class="productname">GSSAPI</span>
+ is available.
+ </p><p>
+ When using <span class="productname">Kerberos</span> authentication,
+ <span class="productname">SSPI</span> works the same way
+ <span class="productname">GSSAPI</span> does; see <a class="xref" href="gssapi-auth.html" title="20.6. GSSAPI Authentication">Section 20.6</a>
+ for details.
+ </p><p>
+ The following configuration options are supported for <span class="productname">SSPI</span>:
+ </p><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="literal">include_realm</code></span></dt><dd><p>
+ If set to 0, the realm name from the authenticated user principal is
+ stripped off before being passed through the user name mapping
+ (<a class="xref" href="auth-username-maps.html" title="20.2. User Name Maps">Section 20.2</a>). This is discouraged and is
+ primarily available for backwards compatibility, as it is not secure
+ in multi-realm environments unless <code class="literal">krb_realm</code> is
+ also used. It is recommended to
+ leave <code class="literal">include_realm</code> set to the default (1) and to
+ provide an explicit mapping in <code class="filename">pg_ident.conf</code> to convert
+ principal names to <span class="productname">PostgreSQL</span> user names.
+ </p></dd><dt><span class="term"><code class="literal">compat_realm</code></span></dt><dd><p>
+ If set to 1, the domain's SAM-compatible name (also known as the
+ NetBIOS name) is used for the <code class="literal">include_realm</code>
+ option. This is the default. If set to 0, the true realm name from
+ the Kerberos user principal name is used.
+ </p><p>
+ Do not disable this option unless your server runs under a domain
+ account (this includes virtual service accounts on a domain member
+ system) and all clients authenticating through SSPI are also using
+ domain accounts, or authentication will fail.
+ </p></dd><dt><span class="term"><code class="literal">upn_username</code></span></dt><dd><p>
+ If this option is enabled along with <code class="literal">compat_realm</code>,
+ the user name from the Kerberos UPN is used for authentication. If
+ it is disabled (the default), the SAM-compatible user name is used.
+ By default, these two names are identical for new user accounts.
+ </p><p>
+ Note that <span class="application">libpq</span> uses the SAM-compatible name if no
+ explicit user name is specified. If you use
+ <span class="application">libpq</span> or a driver based on it, you should
+ leave this option disabled or explicitly specify user name in the
+ connection string.
+ </p></dd><dt><span class="term"><code class="literal">map</code></span></dt><dd><p>
+ Allows for mapping between system and database user names. See
+ <a class="xref" href="auth-username-maps.html" title="20.2. User Name Maps">Section 20.2</a> for details. For a SSPI/Kerberos
+ principal, such as <code class="literal">username@EXAMPLE.COM</code> (or, less
+ commonly, <code class="literal">username/hostbased@EXAMPLE.COM</code>), the
+ user name used for mapping is
+ <code class="literal">username@EXAMPLE.COM</code> (or
+ <code class="literal">username/hostbased@EXAMPLE.COM</code>, respectively),
+ unless <code class="literal">include_realm</code> has been set to 0, in which case
+ <code class="literal">username</code> (or <code class="literal">username/hostbased</code>)
+ is what is seen as the system user name when mapping.
+ </p></dd><dt><span class="term"><code class="literal">krb_realm</code></span></dt><dd><p>
+ Sets the realm to match user principal names against. If this parameter
+ is set, only users of that realm will be accepted. If it is not set,
+ users of any realm can connect, subject to whatever user name mapping
+ is done.
+ </p></dd></dl></div><p>
+ </p></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="gssapi-auth.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="client-authentication.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="auth-ident.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">20.6. GSSAPI Authentication </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> 20.8. Ident Authentication</td></tr></table></div></body></html> \ No newline at end of file