Baoding-FenShuaJiang
/
Green_GoodERP18_FSJ_Standard
Obserwuj 1
Polub 0
Wiki 捐赠
gooderp18绿色标准版
Nie możesz wybrać więcej, niż 25 tematów Tematy muszą się zaczynać od litery lub cyfry, mogą zawierać myślniki ('-') i mogą mieć do 35 znaków.
Gałąź: master
Gałęzie Tagi
${ item.name }
Utwórz gałąź ${ searchTerm }
z 'master'
${ noResults }
Green_GoodERP18_FSJ_Standard/PostgreSQL/doc/postgresql/html/sspi-auth.html

68 lines
6.9KB
Czysty Bezpośredni odnośnik Wina Historia 

  1. <?xml version="1.0" encoding="UTF-8" standalone="no"?>

  2. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>20.7. SSPI Authentication</title><link rel="stylesheet" type="text/css" href="stylesheet.css" /><link rev="made" href="pgsql-docs@lists.postgresql.org" /><meta name="generator" content="DocBook XSL Stylesheets V1.79.1" /><link rel="prev" href="gssapi-auth.html" title="20.6. GSSAPI Authentication" /><link rel="next" href="auth-ident.html" title="20.8. Ident Authentication" /></head><body><div xmlns="http://www.w3.org/TR/xhtml1/transitional" class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="5" align="center">20.7. SSPI Authentication</th></tr><tr><td width="10%" align="left"><a accesskey="p" href="gssapi-auth.html" title="20.6. GSSAPI Authentication">Prev</a> </td><td width="10%" align="left"><a accesskey="u" href="client-authentication.html" title="Chapter 20. Client Authentication">Up</a></td><th width="60%" align="center">Chapter 20. Client Authentication</th><td width="10%" align="right"><a accesskey="h" href="index.html" title="PostgreSQL 12.4 Documentation">Home</a></td><td width="10%" align="right"> <a accesskey="n" href="auth-ident.html" title="20.8. Ident Authentication">Next</a></td></tr></table><hr></hr></div><div class="sect1" id="SSPI-AUTH"><div class="titlepage"><div><div><h2 class="title" style="clear: both">20.7. SSPI Authentication</h2></div></div></div><a id="id-1.6.7.14.2" class="indexterm"></a><p>

  3.     <span class="productname">SSPI</span> is a <span class="productname">Windows</span>

  4.     technology for secure authentication with single sign-on.

  5.     <span class="productname">PostgreSQL</span> will use SSPI in

  6.     <code class="literal">negotiate</code> mode, which will use

  7.     <span class="productname">Kerberos</span> when possible and automatically

  8.     fall back to <span class="productname">NTLM</span> in other cases.

  9.     <span class="productname">SSPI</span> authentication only works when both

  10.     server and client are running <span class="productname">Windows</span>,

  11.     or, on non-Windows platforms, when <span class="productname">GSSAPI</span>

  12.     is available.

  13.    </p><p>

  14.     When using <span class="productname">Kerberos</span> authentication,

  15.     <span class="productname">SSPI</span> works the same way

  16.     <span class="productname">GSSAPI</span> does; see <a class="xref" href="gssapi-auth.html" title="20.6. GSSAPI Authentication">Section 20.6</a>

  17.     for details.

  18.    </p><p>

  19.     The following configuration options are supported for <span class="productname">SSPI</span>:

  20.     </p><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="literal">include_realm</code></span></dt><dd><p>

  21.         If set to 0, the realm name from the authenticated user principal is

  22.         stripped off before being passed through the user name mapping

  23.         (<a class="xref" href="auth-username-maps.html" title="20.2. User Name Maps">Section 20.2</a>). This is discouraged and is

  24.         primarily available for backwards compatibility, as it is not secure

  25.         in multi-realm environments unless <code class="literal">krb_realm</code> is

  26.         also used.  It is recommended to

  27.         leave <code class="literal">include_realm</code> set to the default (1) and to

  28.         provide an explicit mapping in <code class="filename">pg_ident.conf</code> to convert

  29.         principal names to <span class="productname">PostgreSQL</span> user names.

  30.        </p></dd><dt><span class="term"><code class="literal">compat_realm</code></span></dt><dd><p>

  31.         If set to 1, the domain's SAM-compatible name (also known as the

  32.         NetBIOS name) is used for the <code class="literal">include_realm</code>

  33.         option. This is the default. If set to 0, the true realm name from

  34.         the Kerberos user principal name is used.

  35.        </p><p>

  36.         Do not disable this option unless your server runs under a domain

  37.         account (this includes virtual service accounts on a domain member

  38.         system) and all clients authenticating through SSPI are also using

  39.         domain accounts, or authentication will fail.

  40.        </p></dd><dt><span class="term"><code class="literal">upn_username</code></span></dt><dd><p>

  41.         If this option is enabled along with <code class="literal">compat_realm</code>,

  42.         the user name from the Kerberos UPN is used for authentication. If

  43.         it is disabled (the default), the SAM-compatible user name is used.

  44.         By default, these two names are identical for new user accounts.

  45.        </p><p>

  46.         Note that <span class="application">libpq</span> uses the SAM-compatible name if no

  47.         explicit user name is specified. If you use

  48.         <span class="application">libpq</span> or a driver based on it, you should

  49.         leave this option disabled or explicitly specify user name in the

  50.         connection string.

  51.        </p></dd><dt><span class="term"><code class="literal">map</code></span></dt><dd><p>

  52.         Allows for mapping between system and database user names. See

  53.         <a class="xref" href="auth-username-maps.html" title="20.2. User Name Maps">Section 20.2</a> for details.  For a SSPI/Kerberos

  54.         principal, such as <code class="literal">username@EXAMPLE.COM</code> (or, less

  55.         commonly, <code class="literal">username/hostbased@EXAMPLE.COM</code>), the

  56.         user name used for mapping is

  57.         <code class="literal">username@EXAMPLE.COM</code> (or

  58.         <code class="literal">username/hostbased@EXAMPLE.COM</code>, respectively),

  59.         unless <code class="literal">include_realm</code> has been set to 0, in which case

  60.         <code class="literal">username</code> (or <code class="literal">username/hostbased</code>)

  61.         is what is seen as the system user name when mapping.

  62.        </p></dd><dt><span class="term"><code class="literal">krb_realm</code></span></dt><dd><p>

  63.         Sets the realm to match user principal names against. If this parameter

  64.         is set, only users of that realm will be accepted.  If it is not set,

  65.         users of any realm can connect, subject to whatever user name mapping

  66.         is done.

  67.        </p></dd></dl></div><p>

  68.    </p></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="gssapi-auth.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="client-authentication.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="auth-ident.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">20.6. GSSAPI Authentication </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> 20.8. Ident Authentication</td></tr></table></div></body></html>
上海开阖软件有限公司 沪ICP备12045867号-1