Kerberos, GSSAPI Delegation, OAuth Validator Libraries, and SSL Configuration

--sysconfdir</literal> to determine that). If this parameter is set to an empty string, it is ignored and a system-dependent default is used. This parameter can only be set in the <filename>postgresql.conf</filename> file or on the server command line. See <xref linkend="gssapi-auth"/> for more information. </para> </listitem> </varlistentry> <varlistentry id="guc-krb-caseins-users" xreflabel="krb_caseins_users"> <term><varname>krb_caseins_users</varname> (<type>boolean</type>) <indexterm> <primary><varname>krb_caseins_users</varname> configuration parameter</primary> </indexterm> </term> <listitem> <para> Sets whether GSSAPI user names should be treated case-insensitively. The default is <literal>off</literal> (case sensitive). This parameter can only be set in the <filename>postgresql.conf</filename> file or on the server command line. </para> </listitem> </varlistentry> <varlistentry id="guc-gss-accept-delegation" xreflabel="gss_accept_delegation"> <term><varname>gss_accept_delegation</varname> (<type>boolean</type>) <indexterm> <primary><varname>gss_accept_delegation</varname> configuration parameter</primary> </indexterm> </term> <listitem> <para> Sets whether GSSAPI delegation should be accepted from the client. The default is <literal>off</literal> meaning credentials from the client will <emphasis>not</emphasis> be accepted. Changing this to <literal>on</literal> will make the server accept credentials delegated to it from the client. This parameter can only be set in the <filename>postgresql.conf</filename> file or on the server command line. </para> </listitem> </varlistentry> <varlistentry id="guc-oauth-validator-libraries" xreflabel="oauth_validator_libraries"> <term><varname>oauth_validator_libraries</varname> (<type>string</type>) <indexterm> <primary><varname>oauth_validator_libraries</varname> configuration parameter</primary> </indexterm> </term> <listitem> <para> The library/libraries to use for validating OAuth connection tokens. If only one validator library is provided, it will be used by default for any OAuth connections; otherwise, all <link linkend="auth-oauth"><literal>oauth</literal> HBA entries</link> must explicitly set a <literal>validator</literal> chosen from this list. If set to an empty string (the default), OAuth connections will be refused. This parameter can only be set in the <filename>postgresql.conf</filename> file. </para> <para> Validator modules must be implemented/obtained separately; <productname>PostgreSQL</productname> does not ship with any default implementations. For more information on implementing OAuth validators, see <xref linkend="oauth-validators" />. </para> </listitem> </varlistentry> </variablelist> </sect2> <sect2 id="runtime-config-connection-ssl"> <title>SSL</title> <para> See <xref linkend="ssl-tcp"/> for more information about setting up <acronym>SSL</acronym>. The configuration parameters for controlling transfer encryption using <acronym>TLS</acronym> protocols are named <literal>ssl</literal> for historic reasons, even though support for the <acronym>SSL</acronym> protocol has been deprecated. <acronym>SSL</acronym> is in this context used interchangeably with <acronym>TLS</acronym>. </para> <variablelist> <varlistentry id="guc-ssl" xreflabel="ssl"> <term><varname>ssl</varname> (<type>boolean</type>) <indexterm> <primary><varname>ssl</varname> configuration parameter</primary> </indexterm> </term> <listitem>

This section covers parameters for Kerberos (`krb_server_keyfile`, `krb_caseins_users`), GSSAPI delegation (`gss_accept_delegation`), OAuth validator libraries (`oauth_validator_libraries`), and the start of SSL/TLS configuration. Kerberos settings define the server's key file and case sensitivity for user names. GSSAPI delegation determines if the server accepts credentials from the client. OAuth validator libraries specify libraries for validating OAuth connection tokens. The section also introduces SSL/TLS configuration.