From 1b4e729eaa97b6169e08abc70e84709cea2cd00a Mon Sep 17 00:00:00 2001
From: Magnus Hagander <magnus@hagander.net>
Date: Fri, 9 Jan 2009 10:13:19 +0000
Subject: Make krb_realm and krb_server_hostname be pg_hba options only, and
 remove their GUCs.

In passing, noted that the pg_hba options for krb5 authentication weren't
listed at all - so add this.
---
 doc/src/sgml/client-auth.sgml | 71 +++++++++++++++++++++++++++++++++----------
 doc/src/sgml/config.sgml      | 36 +---------------------
 2 files changed, 56 insertions(+), 51 deletions(-)

(limited to 'doc/src')

diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index f5cc4729101..029bfd45661 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.117 2009/01/07 13:09:21 mha Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.118 2009/01/09 10:13:18 mha Exp $ -->
 
 <chapter id="client-authentication">
  <title>Client Authentication</title>
@@ -801,18 +801,8 @@ omicron       bryanh            guest1
       <term>krb_realm</term>
       <listitem>
        <para>
-        Overrides the <xref linkend="guc-krb-realm"> parameter, setting which realm
-        to verify the authenticated user principal against.
-       </para>
-      </listitem>
-     </varlistentry>
-
-     <varlistentry>
-      <term>krb_server_hostname</term>
-      <listitem>
-       <para>
-        Overrides the <xref linkend="guc-krb-server-hostname"> parameter, setting which
-        hostname will be used for the server principal when using Kerberos.
+        Sets the realm to match user principal names against. If this parameter
+        is not set, the realm of the user will be ignored.
        </para>
       </listitem>
      </varlistentry>
@@ -874,8 +864,8 @@ omicron       bryanh            guest1
       <term>krb_realm</term>
       <listitem>
        <para>
-        Overrides the <xref linkend="guc-krb-realm"> parameter, setting which realm
-        to verify the authenticated user principal against.
+        Sets the realm to match user principal names against. If this parameter
+        is not set, the realm of the user will be ignored.
        </para>
       </listitem>
      </varlistentry>
@@ -953,7 +943,7 @@ omicron       bryanh            guest1
     <literal>pgusername@realm</>. By default, the realm of the client is
     not checked by <productname>PostgreSQL</>. If you have cross-realm
     authentication enabled and need to verify the realm, use the
-    <xref linkend="guc-krb-realm"> parameter.
+    krb_realm parameter in <filename>pg_hba.conf</>.
    </para>
 
    <para>
@@ -996,6 +986,55 @@ omicron       bryanh            guest1
     database access over the web, no extra passwords required.
    </para>
 
+   <para>
+    The following configuration options are supported for <productname>Kerberos</productname>:
+    <variablelist>
+     <varlistentry>
+      <term>map</term>
+      <listitem>
+       <para>
+        Allows for mapping between system and database usernames. See
+        <xref linkend="auth-username-maps"> for details.
+       </para>
+      </listitem>
+     </varlistentry>
+
+     <varlistentry>
+      <term>include_realm</term>
+      <listitem>
+       <para>
+        Include the realm name from the authenticated user principal. This is useful
+        in combination with Username maps (See <xref linkend="auth-username-maps">
+        for details), especially with regular expressions, to map users from
+        multiple realms.
+       </para>
+      </listitem>
+     </varlistentry>
+
+     <varlistentry>
+      <term>krb_realm</term>
+      <listitem>
+       <para>
+        Sets the realm to match user principal names against. If this parameter
+        is not set, the realm of the user will be ignored.
+       </para>
+      </listitem>
+     </varlistentry>
+
+     <varlistentry>
+      <term>krb_server_hostname</term>
+      <listitem>
+       <para>
+        Sets the host name part of the service principal.
+        This, combined with <varname>krb_srvname</>, is used to generate
+        the complete service principal, that is
+        <varname>krb_srvname</><literal>/</><varname>krb_server_hostname</><literal>@</>REALM.
+        If not set, the default is the server host name.
+       </para>
+      </listitem>
+     </varlistentry>
+    </variablelist>
+   </para>
   </sect2>
 
   <sect2 id="auth-ident">
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index 564e5c0236c..0d8cf0a84cb 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/config.sgml,v 1.203 2009/01/07 22:40:48 tgl Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/config.sgml,v 1.204 2009/01/09 10:13:18 mha Exp $ -->
 
 <chapter Id="runtime-config">
   <title>Server Configuration</title>
@@ -612,22 +612,6 @@ SET ENABLE_SEQSCAN TO OFF;
       </listitem>
      </varlistentry>
 
-     <varlistentry id="guc-krb-realm" xreflabel="krb_realm">
-      <term><varname>krb_realm</varname> (<type>string</type>)</term>
-      <indexterm>
-       <primary><varname>krb_realm</> configuration parameter</primary>
-      </indexterm>
-      <listitem>
-       <para>
-        Sets the realm to match Kerberos, GSSAPI and SSPI user names against.
-        See <xref linkend="kerberos-auth">, <xref linkend="gssapi-auth"> or
-        <xref linkend="sspi-auth"> for details. This parameter can only be 
-        set in the <filename>postgresql.conf</> file or on the server 
-        command line.
-       </para>
-      </listitem>
-     </varlistentry>
-
      <varlistentry id="guc-krb-server-keyfile" xreflabel="krb_server_keyfile">
       <term><varname>krb_server_keyfile</varname> (<type>string</type>)</term>
       <indexterm>
@@ -657,24 +641,6 @@ SET ENABLE_SEQSCAN TO OFF;
       </listitem>
      </varlistentry>
 
-     <varlistentry id="guc-krb-server-hostname" xreflabel="krb_server_hostname">
-      <term><varname>krb_server_hostname</varname> (<type>string</type>)</term>
-      <indexterm>
-       <primary><varname>krb_server_hostname</> configuration parameter</primary>
-      </indexterm>
-      <listitem>
-       <para>
-        Sets the host name part of the service principal.
-        This, combined with <varname>krb_srvname</>, is used to generate
-        the complete service principal, that is
-        <varname>krb_srvname</><literal>/</><varname>krb_server_hostname</><literal>@</>REALM.
-        If not set, the default is the server host name.  See <xref linkend="kerberos-auth">
-        for details. This parameter can only be set in the <filename>postgresql.conf</>
-        file or on the server command line.
-       </para>
-      </listitem>
-     </varlistentry>
-
      <varlistentry id="guc-krb-caseins-users" xreflabel="krb_caseins_users">
       <term><varname>krb_caseins_users</varname> (<type>boolean</type>)</term>
       <indexterm>
-- 
cgit v1.2.3