SSPI authentication on Windows. GSSAPI compatible client when doing Kerberos

against a Unix server, and Windows-specific server-side authentication
using SSPI "negotiate" method (Kerberos or NTLM).

Only builds properly with MSVC for now.

2 files changed, 60 insertions, 2 deletions

diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index e3fa1c8b27d..dd3bd8be4d4 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.99 2007/07/18 12:00:47 mha Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.100 2007/07/23 10:16:53 mha Exp $ -->
 
 <chapter id="client-authentication">
  <title>Client Authentication</title>
@@ -359,6 +359,17 @@ hostnossl  <replaceable>database</replaceable>  <replaceable>user</replaceable>
        </varlistentry>
 
        <varlistentry>
+        <term><literal>sspi</></term>
+        <listitem>
+         <para>
+          Use SSPI to authenticate the user. This is only
+          available on Windows. See <xref
+          linkend="sspi-auth"> for details.
+         </para>
+        </listitem>
+       </varlistentry>
+
+       <varlistentry>
         <term><literal>krb5</></term>
         <listitem>
          <para>
@@ -677,6 +688,33 @@ local   db1,db2,@demodbs  all                         md5
    
   </sect2>
 
+  <sect2 id="sspi-auth">
+   <title>SSPI authentication</title>
+
+   <indexterm zone="sspi-auth">
+    <primary>SSPI</primary>
+   </indexterm>
+
+   <para>
+    <productname>SSPI</productname> is a <productname>Windows</productname>
+    technology for secure authentication with single sign-on. 
+    <productname>PostgreSQL</productname> will use SSPI in
+    <literal>negotiate</literal> mode, which will use
+    <productname>Kerberos</productname> when possible and automatically
+    fall back to <productname>NTLM</productname> in other cases.
+    <productname>SSPI</productname> authentication only works when both
+    server and client are running <productname>Windows</productname>.
+   </para>
+
+   <para>
+    When using <productname>Kerberos</productname> authentication, 
+    <productname>SSPI</productname> works the same way 
+    <productname>GSSAPI</productname> does. See <xref linkend="gssapi-auth">
+    for details.
+   </para>
+
+  </sect2>
+
   <sect2 id="kerberos-auth">
    <title>Kerberos authentication</title>
 
diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index e1ee97ce182..117bc5f3509 100644
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/libpq.sgml,v 1.238 2007/07/18 12:00:47 mha Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/libpq.sgml,v 1.239 2007/07/23 10:16:53 mha Exp $ -->
 
  <chapter id="libpq">
   <title><application>libpq</application> - C Library</title>
@@ -291,6 +291,17 @@ PGconn *PQconnectdb(const char *conninfo);
     </varlistentry>
 
     <varlistentry>
+     <term><literal>gsslib</literal></term>
+     <listitem>
+      <para>
+       GSS library to use for GSSAPI authentication. Only used on Windows.
+       Set to <literal>gssapi</literal> to force libpq to use the GSSAPI
+       library for authentication instead of the default SSPI.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
      <term><literal>service</literal></term>
      <listitem>
      <para>
@@ -4221,6 +4232,15 @@ authenticating with Kerberos 5 or GSSAPI.
 <listitem>
 <para>
 <indexterm>
+ <primary><envar>PGGSSLIB</envar></primary>
+</indexterm>
+<envar>PGGSSLIB</envar> sets the GSS library to use for GSSAPI 
+authentication. 
+</para>
+</listitem>
+<listitem>
+<para>
+<indexterm>
  <primary><envar>PGCONNECT_TIMEOUT</envar></primary>
 </indexterm>
 <envar>PGCONNECT_TIMEOUT</envar> sets the maximum number of seconds