GSSAPI and SSPI Authentication in PostgreSQL

<filename>pg_ident.conf</filename> to convert principal names to <productname>PostgreSQL</productname> user names. </para> </listitem> </varlistentry> <varlistentry> <term><literal>map</literal></term> <listitem> <para> Allows mapping from client principals to database user names. See <xref linkend="auth-username-maps"/> for details. For a GSSAPI/Kerberos principal, such as <literal>username@EXAMPLE.COM</literal> (or, less commonly, <literal>username/hostbased@EXAMPLE.COM</literal>), the user name used for mapping is <literal>username@EXAMPLE.COM</literal> (or <literal>username/hostbased@EXAMPLE.COM</literal>, respectively), unless <literal>include_realm</literal> has been set to 0, in which case <literal>username</literal> (or <literal>username/hostbased</literal>) is what is seen as the system user name when mapping. </para> </listitem> </varlistentry> <varlistentry> <term><literal>krb_realm</literal></term> <listitem> <para> Sets the realm to match user principal names against. If this parameter is set, only users of that realm will be accepted. If it is not set, users of any realm can connect, subject to whatever user name mapping is done. </para> </listitem> </varlistentry> </variablelist> </para> <para> In addition to these settings, which can be different for different <filename>pg_hba.conf</filename> entries, there is the server-wide <xref linkend="guc-krb-caseins-users"/> configuration parameter. If that is set to true, client principals are matched to user map entries case-insensitively. <literal>krb_realm</literal>, if set, is also matched case-insensitively. </para> </sect1> <sect1 id="sspi-auth"> <title>SSPI Authentication</title> <indexterm zone="sspi-auth"> <primary>SSPI</primary> </indexterm> <para> <productname>SSPI</productname> is a <productname>Windows</productname> technology for secure authentication with single sign-on. <productname>PostgreSQL</productname> will use SSPI in <literal>negotiate</literal> mode, which will use <productname>Kerberos</productname> when possible and automatically fall back to <productname>NTLM</productname> in other cases. <productname>SSPI</productname> and <productname>GSSAPI</productname> interoperate as clients and servers, e.g., an <productname>SSPI</productname> client can authenticate to an <productname>GSSAPI</productname> server. It is recommended to use <productname>SSPI</productname> on Windows clients and servers and <productname>GSSAPI</productname> on non-Windows platforms. </para> <para> When using <productname>Kerberos</productname> authentication, <productname>SSPI</productname> works the same way <productname>GSSAPI</productname> does; see <xref linkend="gssapi-auth"/> for details. </para> <para> The following configuration options are supported for <productname>SSPI</productname>: <variablelist> <varlistentry> <term><literal>include_realm</literal></term> <listitem> <para> If set to 0, the realm name from the authenticated user principal is stripped off before being passed through the user name mapping (<xref linkend="auth-username-maps"/>). This is discouraged and is primarily available for backwards compatibility, as it is not secure in multi-realm environments unless <literal>krb_realm</literal> is also used. It is recommended to leave <literal>include_realm</literal> set to the default (1) and to provide an explicit mapping in <filename>pg_ident.conf</filename> to convert principal names to <productname>PostgreSQL</productname> user names. </para> </listitem> </varlistentry>

PostgreSQL supports GSSAPI and SSPI authentication methods, which allow for secure authentication with single sign-on, and various configuration parameters such as include_realm, krb_realm, and map are available to control the authentication process, with recommendations to use explicit mapping and separate keytab files for security reasons, and SSPI is recommended for Windows clients and servers, while GSSAPI is recommended for non-Windows platforms.