The PostgreSQL 9.0 Reference Manual - Volume 3 - Server Administration Guide by The PostgreSQL Global Development Group Paperback (6"x9"), 274 pages ISBN 9781906966072 RRP £9.95 ($14.95) Sales of this book support the PostgreSQL project! Get a printed copy>>>

PostgreSQL 9.0 Reference Manual Volume 3 Buy the book here! >>> only $14.95

5.3.3 GSSAPI authentication

GSSAPI is an industry-standard protocol for secure authentication defined in RFC 2743. PostgreSQL supports GSSAPI with Kerberos authentication according to RFC 1964. GSSAPI provides automatic authentication (single sign-on) for systems that support it. The authentication itself is secure, but the data sent over the database connection will be sent unencrypted unless SSL is used.

When GSSAPI uses Kerberos, it uses a standard principal in the format servicename/hostname@realm. For information about the parts of the principal, and how to set up the required keys, see section 5.3.5 Kerberos authentication.

GSSAPI support has to be enabled when PostgreSQL is built; see section 1 Installation from Source Code for more information.

The following configuration options are supported for GSSAPI:

include_realm

If set to 1, the realm name from the authenticated user principal is included in the system user name that's passed through user name mapping (section 5.2 User name maps). This is useful for handling users from multiple realms.

map

Allows for mapping between system and database user names. See section 5.2 User name maps for details. For a Kerberos principal username/hostbased@EXAMPLE.COM, the user name used for mapping is username/hostbased if include_realm is disabled, and username/hostbased@EXAMPLE.COM if include_realm is enabled.

krb_realm

Sets the realm to match user principal names against. If this parameter is set, only users of that realm will be accepted. If it is not set, users of any realm can connect, subject to whatever user name mapping is done.