From: Bruce Momjian Date: Sat, 20 Feb 2010 19:21:14 +0000 (+0000) Subject: Clarify documentation about username mapping when authenticating with X-Git-Tag: REL9_0_ALPHA5~239 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=786e2f6871628ea373e8976ec07fb69e77ca184d;p=postgresql Clarify documentation about username mapping when authenticating with GSSAPI or Kerberos. Ian Turner --- diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml index feb9511c5e..26a7de6d0a 100644 --- a/doc/src/sgml/client-auth.sgml +++ b/doc/src/sgml/client-auth.sgml @@ -1,4 +1,4 @@ - + Client Authentication @@ -824,23 +824,28 @@ omicron bryanh guest1 The following configuration options are supported for GSSAPI: - map + include_realm - Allows for mapping between system and database usernames. See - for details. + If set to 1, the realm name from the authenticated user + principal is included in the system user name that's passed through + username mapping (). This is + useful for handling users from multiple realms. - include_realm + map - If set to 1, the realm name from the authenticated user - principal is included in the system user name that's passed through - username mapping (). This is - useful for handling users from multiple realms. + Allows for mapping between system and database usernames. See + for details. For a Kerboros + principal username/hostbased@EXAMPLE.COM, the + username used for mapping is username/hostbased + if include_realm is disabled, and + username/hostbased@EXAMPLE.COM if + include_realm is enabled. @@ -1027,10 +1032,10 @@ omicron bryanh guest1 When connecting to the database make sure you have a ticket for a principal matching the requested database user name. For example, for - database user name fred, both principal - fred@EXAMPLE.COM and - fred/users.example.com@EXAMPLE.COM could be used to - authenticate to the database server. + database user name fred, principal + fred@EXAMPLE.COM would be able to connect. To also allow + principle fred/users.example.com@EXAMPLE.COM, use a username + map, as described in .