SSPI Configuration Options in PostgreSQL

does; see <xref linkend="gssapi-auth"/> for details. </para> <para> The following configuration options are supported for <productname>SSPI</productname>: <variablelist> <varlistentry> <term><literal>include_realm</literal></term> <listitem> <para> If set to 0, the realm name from the authenticated user principal is stripped off before being passed through the user name mapping (<xref linkend="auth-username-maps"/>). This is discouraged and is primarily available for backwards compatibility, as it is not secure in multi-realm environments unless <literal>krb_realm</literal> is also used. It is recommended to leave <literal>include_realm</literal> set to the default (1) and to provide an explicit mapping in <filename>pg_ident.conf</filename> to convert principal names to <productname>PostgreSQL</productname> user names. </para> </listitem> </varlistentry> <varlistentry> <term><literal>compat_realm</literal></term> <listitem> <para> If set to 1, the domain's SAM-compatible name (also known as the NetBIOS name) is used for the <literal>include_realm</literal> option. This is the default. If set to 0, the true realm name from the Kerberos user principal name is used. </para> <para> Do not disable this option unless your server runs under a domain account (this includes virtual service accounts on a domain member system) and all clients authenticating through SSPI are also using domain accounts, or authentication will fail. </para> </listitem> </varlistentry> <varlistentry> <term><literal>upn_username</literal></term> <listitem> <para> If this option is enabled along with <literal>compat_realm</literal>, the user name from the Kerberos UPN is used for authentication. If it is disabled (the default), the SAM-compatible user name is used. By default, these two names are identical for new user accounts. </para> <para> Note that <application>libpq</application> uses the SAM-compatible name if no explicit user name is specified. If you use <application>libpq</application> or a driver based on it, you should leave this option disabled or explicitly specify user name in the connection string. </para> </listitem> </varlistentry> <varlistentry> <term><literal>map</literal></term> <listitem> <para> Allows for mapping between system and database user names. See <xref linkend="auth-username-maps"/> for details. For an SSPI/Kerberos principal, such as <literal>username@EXAMPLE.COM</literal> (or, less commonly, <literal>username/hostbased@EXAMPLE.COM</literal>), the user name used for mapping is <literal>username@EXAMPLE.COM</literal> (or <literal>username/hostbased@EXAMPLE.COM</literal>, respectively), unless <literal>include_realm</literal> has been set to 0, in which case <literal>username</literal> (or <literal>username/hostbased</literal>) is what is seen as the system user name when mapping. </para> </listitem> </varlistentry> <varlistentry> <term><literal>krb_realm</literal></term> <listitem> <para> Sets the realm to match user principal names against. If this parameter is set, only users of that realm will be accepted. If it is not set, users of any realm can connect, subject to whatever user name mapping is done. </para> </listitem> </varlistentry> </variablelist> </para> </sect1> <sect1 id="auth-ident"> <title>Ident Authentication</title> <indexterm> <primary>ident</primary> </indexterm> <para> The ident authentication method works

The SSPI authentication method in PostgreSQL supports various configuration options, including include_realm, compat_realm, upn_username, map, and krb_realm, which control how user principal names are mapped to database user names, with recommendations to leave some options at their default values for security and compatibility reasons.