with_gssapi
with_krb_srvnam
with_pam
+with_bsd_auth
with_ldap
with_bonjour
with_openssl
--with-krb-srvnam=NAME default service principal name in Kerberos (GSSAPI)
[postgres]
--with-pam build with PAM support
+ --with-bsd-auth build with BSD Authentication support
--with-ldap build with LDAP support
--with-bonjour build with Bonjour support
--with-openssl build with OpenSSL support
$as_echo "$with_pam" >&6; }
+#
+# BSD AUTH
+#
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to build with BSD Authentication support" >&5
+$as_echo_n "checking whether to build with BSD Authentication support... " >&6; }
+
+
+
+# Check whether --with-bsd-auth was given.
+if test "${with_bsd_auth+set}" = set; then :
+ withval=$with_bsd_auth;
+ case $withval in
+ yes)
+
+$as_echo "#define USE_BSD_AUTH 1" >>confdefs.h
+
+ ;;
+ no)
+ :
+ ;;
+ *)
+ as_fn_error $? "no argument expected for --with-bsd-auth option" "$LINENO" 5
+ ;;
+ esac
+
+else
+ with_bsd_auth=no
+
+fi
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $with_bsd_auth" >&5
+$as_echo "$with_bsd_auth" >&6; }
+
+
#
# LDAP
#
done
+fi
+
+if test "$with_bsd_auth" = yes ; then
+ ac_fn_c_check_header_mongrel "$LINENO" "bsd_auth.h" "ac_cv_header_bsd_auth_h" "$ac_includes_default"
+if test "x$ac_cv_header_bsd_auth_h" = xyes; then :
+
+else
+ as_fn_error $? "header file <bsd_auth.h> is required for BSD Authentication support" "$LINENO" 5
+fi
+
+
fi
if test "$with_systemd" = yes ; then
AC_MSG_RESULT([$with_pam])
+#
+# BSD AUTH
+#
+AC_MSG_CHECKING([whether to build with BSD Authentication support])
+PGAC_ARG_BOOL(with, bsd-auth, no,
+ [build with BSD Authentication support],
+ [AC_DEFINE([USE_BSD_AUTH], 1, [Define to 1 to build with BSD Authentication support. (--with-bsd-auth)])])
+AC_MSG_RESULT([$with_bsd_auth])
+
+
#
# LDAP
#
[AC_MSG_ERROR([header file <security/pam_appl.h> or <pam/pam_appl.h> is required for PAM.])])])
fi
+if test "$with_bsd_auth" = yes ; then
+ AC_CHECK_HEADER(bsd_auth.h, [], [AC_MSG_ERROR([header file <bsd_auth.h> is required for BSD Authentication support])])
+fi
+
if test "$with_systemd" = yes ; then
AC_CHECK_HEADER(systemd/sd-daemon.h, [], [AC_MSG_ERROR([header file <systemd/sd-daemon.h> is required for systemd support])])
fi
</para>
</listitem>
</varlistentry>
+
+ <varlistentry>
+ <term><literal>bsd</></term>
+ <listitem>
+ <para>
+ Authenticate using the BSD Authentication service provided by the
+ operating system. See <xref linkend="auth-bsd"> for details.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</para>
</para>
</note>
</sect2>
+
+ <sect2 id="auth-bsd">
+ <title>BSD Authentication</title>
+
+ <indexterm zone="auth-bsd">
+ <primary>BSD Authentication</primary>
+ </indexterm>
+
+ <para>
+ This authentication method operates similarly to
+ <literal>password</literal> except that it uses BSD Authentication
+ to verify the password. BSD Authentication is used only
+ to validate user name/password pairs. Therefore the user's role must
+ already exist in the database before BSD Authentication can be used
+ for authentication. The BSD Authentication framework is currently
+ only available on OpenBSD.
+ </para>
+
+ <para>
+ BSD Authentication in <productname>PostgreSQL</> uses
+ the <literal>auth-postgresql</literal> login type and authenticates with
+ the <literal>postgresql</literal> login class if that's defined
+ in <filename>login.conf</filename>. By default that login class does not
+ exist, and <productname>PostgreSQL</> will use the default login class.
+ </para>
+
+ <note>
+ <para>
+ To use BSD Authentication, the PostgreSQL user account (that is, the
+ operating system user running the server) must first be added to
+ the <literal>auth</literal> group. The <literal>auth</literal> group
+ exists by default on OpenBSD systems.
+ </para>
+ </note>
+ </sect2>
</sect1>
<sect1 id="client-authentication-problems">
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--with-bsd-auth</option></term>
+ <listitem>
+ <para>
+ Build with BSD Authentication support.
+ (The BSD Authentication framework is
+ currently only available on OpenBSD.)
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term><option>--with-ldap</option></term>
<listitem>
#endif /* USE_PAM */
+/*----------------------------------------------------------------
+ * BSD authentication
+ *----------------------------------------------------------------
+ */
+#ifdef USE_BSD_AUTH
+#include <bsd_auth.h>
+
+static int CheckBSDAuth(Port *port, char *user);
+#endif /* USE_BSD_AUTH */
+
+
/*----------------------------------------------------------------
* LDAP authentication
*----------------------------------------------------------------
case uaPAM:
errstr = gettext_noop("PAM authentication failed for user \"%s\"");
break;
+ case uaBSD:
+ errstr = gettext_noop("BSD authentication failed for user \"%s\"");
+ break;
case uaLDAP:
errstr = gettext_noop("LDAP authentication failed for user \"%s\"");
break;
#endif /* USE_PAM */
break;
+ case uaBSD:
+#ifdef USE_BSD_AUTH
+ status = CheckBSDAuth(port, port->user_name);
+#else
+ Assert(false);
+#endif /* USE_BSD_AUTH */
+ break;
+
case uaLDAP:
#ifdef USE_LDAP
status = CheckLDAPAuth(port);
#endif /* USE_PAM */
+/*----------------------------------------------------------------
+ * BSD authentication system
+ *----------------------------------------------------------------
+ */
+#ifdef USE_BSD_AUTH
+static int
+CheckBSDAuth(Port *port, char *user)
+{
+ char *passwd;
+ int retval;
+
+ /* Send regular password request to client, and get the response */
+ sendAuthRequest(port, AUTH_REQ_PASSWORD);
+
+ passwd = recv_password_packet(port);
+ if (passwd == NULL)
+ return STATUS_EOF;
+
+ /*
+ * Ask the BSD auth system to verify password. Note that auth_userokay
+ * will overwrite the password string with zeroes, but it's just a
+ * temporary string so we don't care.
+ */
+ retval = auth_userokay(user, NULL, "auth-postgresql", passwd);
+
+ if (!retval)
+ return STATUS_ERROR;
+
+ return STATUS_OK;
+}
+#endif /* USE_BSD_AUTH */
+
/*----------------------------------------------------------------
* LDAP authentication system
parsedline->auth_method = uaPAM;
#else
unsupauth = "pam";
+#endif
+ else if (strcmp(token->string, "bsd") == 0)
+#ifdef USE_BSD_AUTH
+ parsedline->auth_method = uaBSD;
+#else
+ unsupauth = "bsd";
#endif
else if (strcmp(token->string, "ldap") == 0)
#ifdef USE_LDAP
#ifdef USE_PAM
"pam", "pam ",
#endif
+#ifdef USE_BSD_AUTH
+ "bsd",
+#endif
#ifdef USE_LDAP
"ldap",
#endif
#ifdef USE_PAM
"pam", "pam ",
#endif
+#ifdef USE_BSD_AUTH
+ "bsd",
+#endif
#ifdef USE_LDAP
"ldap",
#endif
uaGSS,
uaSSPI,
uaPAM,
+ uaBSD,
uaLDAP,
uaCert,
uaRADIUS,
/* Define to 1 to build with Bonjour support. (--with-bonjour) */
#undef USE_BONJOUR
+/* Define to 1 to build with BSD Authentication support. (--with-bsd-auth) */
+#undef USE_BSD_AUTH
+
/* Define to 1 if you want float4 values to be passed by value.
(--enable-float4-byval) */
#undef USE_FLOAT4_BYVAL
/* Define to 1 to build with Bonjour support. (--with-bonjour) */
/* #undef USE_BONJOUR */
+/* Define to 1 to build with BSD Authentication support. (--with-bsd-auth) */
+/* #undef USE_BSD_AUTH */
+
/* Define to 1 if you want 64-bit integer timestamp and interval support.
(--enable-integer-datetimes) */
/* #undef USE_INTEGER_DATETIMES */