From 72c53ac3a7faaf825752843fbb77b059a1c5f565 Mon Sep 17 00:00:00 2001 From: Bruce Momjian Date: Sat, 4 Jun 2005 20:42:43 +0000 Subject: Allow kerberos name and username case sensitivity to be specified from postgresql.conf. --------------------------------------------------------------------------- Here's an updated version of the patch, with the following changes: 1) No longer uses "service name" as "application version". It's instead hardcoded as "postgres". It could be argued that this part should be backpatched to 8.0, but it doesn't make a big difference until you can start changing it with GUC / connection parameters. This change only affects kerberos 5, not 4. 2) Now downcases kerberos usernames when the client is running on win32. 3) Adds guc option for "krb_caseins_users" to make the server ignore case mismatch which is required by some KDCs such as Active Directory. Off by default, per discussion with Tom. This change only affects kerberos 5, not 4. 4) Updated so it doesn't conflict with the rendevouz/bonjour patch already in ;-) Magnus Hagander --- doc/src/sgml/client-auth.sgml | 43 ++++++++++++++++++++++++------------------ doc/src/sgml/installation.sgml | 6 +++--- doc/src/sgml/libpq.sgml | 23 +++++++++++++++++++++- doc/src/sgml/runtime.sgml | 32 +++++++++++++++++++++++++++++-- 4 files changed, 80 insertions(+), 24 deletions(-) (limited to 'doc/src') diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml index 875c170a048..8439174b028 100644 --- a/doc/src/sgml/client-auth.sgml +++ b/doc/src/sgml/client-auth.sgml @@ -1,5 +1,5 @@ @@ -617,7 +617,7 @@ local db1,db2,@demodbs all md5 quite complex (yet powerful). The Kerberos FAQ or - MIT Project Athena + MIT Kerberos page can be a good starting point for exploration. Several sources for Kerberos distributions exist. @@ -626,23 +626,29 @@ local db1,db2,@demodbs all md5 While PostgreSQL supports both Kerberos 4 and Kerberos 5, only Kerberos 5 is recommended. Kerberos 4 is considered insecure and no longer recommended for general - use. - - - - In order to use Kerberos, support for it must be - enabled at build time. See for more - information. Both Kerberos 4 and 5 are supported, but only one - version can be supported in any one build. + use. Only one version of Kerberos can be supported in any one + build, and support must be enabled at build time. See + for more information. PostgreSQL operates like a normal Kerberos service. The name of the service principal is - servicename/hostname@realm, where - servicename is postgres (unless a - different service name was selected at configure time with - ./configure --with-krb-srvnam=whatever). + servicename/hostname@realm. + + + servicename can be set on the server side using the + configuration parameter, and on the + client side using the krbsrvname connection parameter. (See also .). The installation default can be changed from the default + postgres at build time using + ./configure --with-krb-srvnam=whatever). In most environments, + this parameter never needs to be changed. However, to support multiple + PostgreSQL installations on the same host it is necessary. + Some Kerberos implementations may also require a different service name, + such as Microsoft Active Directory which requires the service name + to be in uppercase (POSTGRES). + + hostname is the fully qualified host name of the server machine. The service principal's realm is the preferred realm of the server machine. @@ -658,12 +664,12 @@ local db1,db2,@demodbs all md5 - Make sure that your server key file is readable (and preferably + Make sure that your server keytab file is readable (and preferably only readable) by the PostgreSQL server account. (See also .) The location of the key file is specified by the configuration - parameter. (See also .) The default + parameter. The default is /etc/srvtab if you are using Kerberos 4 and /usr/local/pgsql/etc/krb5.keytab (or whichever directory was specified as sysconfdir at build time) @@ -671,12 +677,13 @@ local db1,db2,@demodbs all md5 - To generate the keytab file, use for example (with version 5) + The keytab file is generated in the Kerberos system, see the + Kerberos documentation for details. The following example is + for MIT-compatible Kerberos 5 implementations: kadmin% ank -randkey postgres/server.my.domain.org kadmin% ktadd -k krb5.keytab postgres/server.my.domain.org - Read the Kerberos documentation for details. diff --git a/doc/src/sgml/installation.sgml b/doc/src/sgml/installation.sgml index cf27e37f3b2..b772a23e583 100644 --- a/doc/src/sgml/installation.sgml +++ b/doc/src/sgml/installation.sgml @@ -1,4 +1,4 @@ - + <![%standalone-include[<productname>PostgreSQL</>]]> @@ -816,8 +816,8 @@ su - postgres <term><option>--with-krb-srvnam=<replaceable>NAME</></option></term> <listitem> <para> - The name of the Kerberos service principal. - <literal>postgres</literal> is the default. There's probably no + The default name of the Kerberos service principal. + <literal>postgres</literal> is the default. There's usually no reason to change this. </para> </listitem> diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml index a81dc9defcb..8430a124298 100644 --- a/doc/src/sgml/libpq.sgml +++ b/doc/src/sgml/libpq.sgml @@ -1,5 +1,5 @@ <!-- -$PostgreSQL: pgsql/doc/src/sgml/libpq.sgml,v 1.181 2005/05/30 19:32:44 momjian Exp $ +$PostgreSQL: pgsql/doc/src/sgml/libpq.sgml,v 1.182 2005/06/04 20:42:41 momjian Exp $ --> <chapter id="libpq"> @@ -279,6 +279,18 @@ PGconn *PQconnectdb(const char *conninfo); </listitem> </varlistentry> + <varlistentry> + <term><literal>krbsrvname</literal></term> + <listitem> + <para> + Kerberos service name to use when authenticating with Kerberos 4 or 5. + This must match the service name specified in the server + configuration for Kerberos authentication to succeed. (See also + <xref linkend="kerberos-auth">.) + </para> + </listitem> + </varlistentry> + <varlistentry> <term><literal>service</literal></term> <listitem> @@ -3770,6 +3782,15 @@ setting, and is only available if </listitem> <listitem> <para> +<indexterm> + <primary><envar>PGKRBSRVNAME</envar></primary> +</indexterm> +<envar>PGKRBSRVNAME</envar> sets the Kerberos service name to use when +authenticating with Kerberos 4 or 5. +</para> +</listitem> +<listitem> +<para> <indexterm> <primary><envar>PGCONNECT_TIMEOUT</envar></primary> </indexterm> diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml index d5c76830baa..e1ffd22c5a8 100644 --- a/doc/src/sgml/runtime.sgml +++ b/doc/src/sgml/runtime.sgml @@ -1,5 +1,5 @@ <!-- -$PostgreSQL: pgsql/doc/src/sgml/runtime.sgml,v 1.321 2005/05/25 02:56:15 neilc Exp $ +$PostgreSQL: pgsql/doc/src/sgml/runtime.sgml,v 1.322 2005/06/04 20:42:41 momjian Exp $ --> <chapter Id="runtime"> @@ -955,11 +955,39 @@ SET ENABLE_SEQSCAN TO OFF; <listitem> <para> Sets the location of the Kerberos server key file. See - <xref linkend="kerberos-auth"> for details. + <xref linkend="kerberos-auth"> for details. This parameter + can only be set at server start. </para> </listitem> </varlistentry> + <varlistentry id="guc-krb-srvname" xreflabel="krb_srvname"> + <term><varname>krb_srvname</varname> (<type>string</type>)</term> + <indexterm> + <primary><varname>krb_srvname</> configuration parameter</primary> + </indexterm> + <listitem> + <para> + Sets the Kerberos service name. See <xref linkend="kerberos-auth"> + for details. This parameter can only be set at server start. + </para> + </listitem> + </varlistentry> + + <varlistentry id="guc-krb-caseins-users" xreflabel="krb_caseins_users"> + <term><varname>krb_caseins_users</varname> (<type>boolean</type>)</term> + <indexterm> + <primary><varname>krb_caseins_users</varname> configuration parameter</primary> + </indexterm> + <listitem> + <para> + Sets if Kerberos usernames should be treated case-insensitive. + The default is off (case sensitive). This parameter can only be + set at server start. + </para> + </listitem> + </varlistentry> + <varlistentry id="guc-db-user-namespace" xreflabel="db_user_namespace"> <term><varname>db_user_namespace</varname> (<type>boolean</type>)</term> <indexterm> -- cgit v1.2.3