|The PostgreSQL 9.0 Reference Manual - Volume 3 - Server Administration Guide
by The PostgreSQL Global Development Group
Paperback (6"x9"), 274 pages
RRP £9.95 ($14.95)
Sales of this book support the PostgreSQL project! Get a printed copy>>>
5.3.3 GSSAPI authentication
GSSAPI is an industry-standard protocol for secure authentication defined in RFC 2743. PostgreSQL supports GSSAPI with Kerberos authentication according to RFC 1964. GSSAPI provides automatic authentication (single sign-on) for systems that support it. The authentication itself is secure, but the data sent over the database connection will be sent unencrypted unless SSL is used.
When GSSAPI uses
Kerberos, it uses a standard principal
in the format
servicename/hostname@realm. For information about the parts of the principal, and
how to set up the required keys, see section 5.3.5 Kerberos authentication.
GSSAPI support has to be enabled when PostgreSQL is built; see section 1 Installation from Source Code for more information.
The following configuration options are supported for GSSAPI:
If set to
1, the realm name from the authenticated user principal is included in the system user name that's passed through user name mapping (section 5.2 User name maps). This is useful for handling users from multiple realms.
Allows for mapping between system and database user names. See
section 5.2 User name maps for details. For a Kerberos
username/hostbased@EXAMPLE.COM, the user name used for mapping is
include_realmis disabled, and
- Sets the realm to match user principal names against. If this parameter is set, only users of that realm will be accepted. If it is not set, users of any realm can connect, subject to whatever user name mapping is done.
|ISBN 9781906966072||The PostgreSQL 9.0 Reference Manual - Volume 3 - Server Administration Guide||See the print edition|