diff options
Diffstat (limited to 'doc/src/sgml/html/sspi-auth.html')
-rw-r--r-- | doc/src/sgml/html/sspi-auth.html | 68 |
1 files changed, 68 insertions, 0 deletions
diff --git a/doc/src/sgml/html/sspi-auth.html b/doc/src/sgml/html/sspi-auth.html new file mode 100644 index 0000000..40d3a68 --- /dev/null +++ b/doc/src/sgml/html/sspi-auth.html @@ -0,0 +1,68 @@ +<?xml version="1.0" encoding="UTF-8" standalone="no"?> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>21.7. SSPI Authentication</title><link rel="stylesheet" type="text/css" href="stylesheet.css" /><link rev="made" href="pgsql-docs@lists.postgresql.org" /><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot" /><link rel="prev" href="gssapi-auth.html" title="21.6. GSSAPI Authentication" /><link rel="next" href="auth-ident.html" title="21.8. Ident Authentication" /></head><body id="docContent" class="container-fluid col-10"><div xmlns="http://www.w3.org/TR/xhtml1/transitional" class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="5" align="center">21.7. SSPI Authentication</th></tr><tr><td width="10%" align="left"><a accesskey="p" href="gssapi-auth.html" title="21.6. GSSAPI Authentication">Prev</a> </td><td width="10%" align="left"><a accesskey="u" href="client-authentication.html" title="Chapter 21. Client Authentication">Up</a></td><th width="60%" align="center">Chapter 21. Client Authentication</th><td width="10%" align="right"><a accesskey="h" href="index.html" title="PostgreSQL 14.5 Documentation">Home</a></td><td width="10%" align="right"> <a accesskey="n" href="auth-ident.html" title="21.8. Ident Authentication">Next</a></td></tr></table><hr></hr></div><div class="sect1" id="SSPI-AUTH"><div class="titlepage"><div><div><h2 class="title" style="clear: both">21.7. SSPI Authentication</h2></div></div></div><a id="id-1.6.8.14.2" class="indexterm"></a><p> + <span class="productname">SSPI</span> is a <span class="productname">Windows</span> + technology for secure authentication with single sign-on. + <span class="productname">PostgreSQL</span> will use SSPI in + <code class="literal">negotiate</code> mode, which will use + <span class="productname">Kerberos</span> when possible and automatically + fall back to <span class="productname">NTLM</span> in other cases. + <span class="productname">SSPI</span> authentication only works when both + server and client are running <span class="productname">Windows</span>, + or, on non-Windows platforms, when <span class="productname">GSSAPI</span> + is available. + </p><p> + When using <span class="productname">Kerberos</span> authentication, + <span class="productname">SSPI</span> works the same way + <span class="productname">GSSAPI</span> does; see <a class="xref" href="gssapi-auth.html" title="21.6. GSSAPI Authentication">Section 21.6</a> + for details. + </p><p> + The following configuration options are supported for <span class="productname">SSPI</span>: + </p><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="literal">include_realm</code></span></dt><dd><p> + If set to 0, the realm name from the authenticated user principal is + stripped off before being passed through the user name mapping + (<a class="xref" href="auth-username-maps.html" title="21.2. User Name Maps">Section 21.2</a>). This is discouraged and is + primarily available for backwards compatibility, as it is not secure + in multi-realm environments unless <code class="literal">krb_realm</code> is + also used. It is recommended to + leave <code class="literal">include_realm</code> set to the default (1) and to + provide an explicit mapping in <code class="filename">pg_ident.conf</code> to convert + principal names to <span class="productname">PostgreSQL</span> user names. + </p></dd><dt><span class="term"><code class="literal">compat_realm</code></span></dt><dd><p> + If set to 1, the domain's SAM-compatible name (also known as the + NetBIOS name) is used for the <code class="literal">include_realm</code> + option. This is the default. If set to 0, the true realm name from + the Kerberos user principal name is used. + </p><p> + Do not disable this option unless your server runs under a domain + account (this includes virtual service accounts on a domain member + system) and all clients authenticating through SSPI are also using + domain accounts, or authentication will fail. + </p></dd><dt><span class="term"><code class="literal">upn_username</code></span></dt><dd><p> + If this option is enabled along with <code class="literal">compat_realm</code>, + the user name from the Kerberos UPN is used for authentication. If + it is disabled (the default), the SAM-compatible user name is used. + By default, these two names are identical for new user accounts. + </p><p> + Note that <span class="application">libpq</span> uses the SAM-compatible name if no + explicit user name is specified. If you use + <span class="application">libpq</span> or a driver based on it, you should + leave this option disabled or explicitly specify user name in the + connection string. + </p></dd><dt><span class="term"><code class="literal">map</code></span></dt><dd><p> + Allows for mapping between system and database user names. See + <a class="xref" href="auth-username-maps.html" title="21.2. User Name Maps">Section 21.2</a> for details. For an SSPI/Kerberos + principal, such as <code class="literal">username@EXAMPLE.COM</code> (or, less + commonly, <code class="literal">username/hostbased@EXAMPLE.COM</code>), the + user name used for mapping is + <code class="literal">username@EXAMPLE.COM</code> (or + <code class="literal">username/hostbased@EXAMPLE.COM</code>, respectively), + unless <code class="literal">include_realm</code> has been set to 0, in which case + <code class="literal">username</code> (or <code class="literal">username/hostbased</code>) + is what is seen as the system user name when mapping. + </p></dd><dt><span class="term"><code class="literal">krb_realm</code></span></dt><dd><p> + Sets the realm to match user principal names against. If this parameter + is set, only users of that realm will be accepted. If it is not set, + users of any realm can connect, subject to whatever user name mapping + is done. + </p></dd></dl></div><p> + </p></div><div xmlns="http://www.w3.org/TR/xhtml1/transitional" class="navfooter"><hr></hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="gssapi-auth.html" title="21.6. GSSAPI Authentication">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="client-authentication.html" title="Chapter 21. Client Authentication">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="auth-ident.html" title="21.8. Ident Authentication">Next</a></td></tr><tr><td width="40%" align="left" valign="top">21.6. GSSAPI Authentication </td><td width="20%" align="center"><a accesskey="h" href="index.html" title="PostgreSQL 14.5 Documentation">Home</a></td><td width="40%" align="right" valign="top"> 21.8. Ident Authentication</td></tr></table></div></body></html>
\ No newline at end of file |