diff options
| author | Magnus Hagander <magnus@hagander.net> | 2016-04-08 20:23:52 +0200 |
|---|---|---|
| committer | Magnus Hagander <magnus@hagander.net> | 2016-04-08 20:28:38 +0200 |
| commit | 35e2e357cb054dc9e5d890fe754c56f0722f015e (patch) | |
| tree | dc0f1d97c14e7ea3703f3b8bbf98e0d0237250be /doc/src | |
| parent | cb0c8cbf316f9362c11d7a8356e6f459258ae78e (diff) | |
Add authentication parameters compat_realm and upn_usename for SSPI
These parameters are available for SSPI authentication only, to make
it possible to make it behave more like "normal gssapi", while
making it possible to maintain compatibility.
compat_realm is on by default, but can be turned off to make the
authentication use the full Kerberos realm instead of the NetBIOS name.
upn_username is off by default, and can be turned on to return the users
Kerberos UPN rather than the SAM-compatible name (a user in Active
Directory can have both a legacy SAM-compatible username and a new
Kerberos one. Normally they are the same, but not always)
Author: Christian Ullrich
Reviewed by: Robbie Harwood, Alvaro Herrera, me
Diffstat (limited to 'doc/src')
| -rw-r--r-- | doc/src/sgml/client-auth.sgml | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml index 28973e2c2b4..e28d02eafe4 100644 --- a/doc/src/sgml/client-auth.sgml +++ b/doc/src/sgml/client-auth.sgml @@ -1107,6 +1107,43 @@ omicron bryanh guest1 </varlistentry> <varlistentry> + <term><literal>compat_realm</literal></term> + <listitem> + <para> + If set to 1, the domain's SAM-compatible name (also known as the + NetBIOS name) is used for the <literal>include_realm</literal> + option. This is the default. If set to 0, the true realm name from + the Kerberos user principal name is used. + </para> + <para> + Do not enable this option unless your server runs under a domain + account (this includes virtual service accounts on a domain member + system) and all clients authenticating through SSPI are also using + domain accounts, or authentication will fail. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><literal>upn_username</literal></term> + <listitem> + <para> + If this option is enabled along with <literal>compat_realm</literal>, + the user name from the Kerberos UPN is used for authentication. If + it is disabled (the default), the SAM-compatible user name is used. + By default, these two names are identical for new user accounts. + </para> + <para> + Note that <application>libpq</> uses the SAM-compatible name if no + explicit user name is specified. If you use + <application>libpq</> or a driver based on it, you should + leave this option disabled or explicitly specify user name in the + connection string. + </para> + </listitem> + </varlistentry> + + <varlistentry> <term><literal>map</literal></term> <listitem> <para> |