1
- <!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.124 2009/10/01 01:58:57 tgl Exp $ -->
1
+ <!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.125 2009/12/12 21:35:21 mha Exp $ -->
2
2
3
3
<chapter id="client-authentication">
4
4
<title>Client Authentication</title>
@@ -1202,14 +1202,32 @@ omicron bryanh guest1
1202
1202
</para>
1203
1203
1204
1204
<para>
1205
- The server will bind to the distinguished name constructed as
1205
+ LDAP authentication can operate in two modes. In the first mode,
1206
+ the server will bind to the distinguished name constructed as
1206
1207
<replaceable>prefix</> <replaceable>username</> <replaceable>suffix</>.
1207
1208
Typically, the <replaceable>prefix</> parameter is used to specify
1208
1209
<literal>cn=</>, or <replaceable>DOMAIN</><literal>\</> in an Active
1209
1210
Directory environment. <replaceable>suffix</> is used to specify the
1210
1211
remaining part of the DN in a non-Active Directory environment.
1211
1212
</para>
1212
1213
1214
+ <para>
1215
+ In the second mode, the server first binds to the LDAP directory with
1216
+ a fixed username and password, specified with <replaceable>ldapbinduser</>
1217
+ and <replaceable>ldapbinddn</>, and performs a search for the user trying
1218
+ to log in to the database. If no user and password is configured, an
1219
+ anonymous bind will be attempted to the directory. The search will be
1220
+ performed over the subtree at <replaceable>ldapbasedn</>, and will try to
1221
+ do an exact match of the attribute specified in
1222
+ <replaceable>ldapsearchattribute</>. If no attribute is specified, the
1223
+ <literal>uid</> attribute will be used. Once the user has been found in
1224
+ this search, the server disconnects and re-binds to the directory as
1225
+ this user, using the password specified by the client, to verify that the
1226
+ login is correct. This method allows for significantly more flexibility
1227
+ in where the user objects are located in the directory, but will cause
1228
+ two separate connections to the LDAP server to be made.
1229
+ </para>
1230
+
1213
1231
<para>
1214
1232
The following configuration options are supported for LDAP:
1215
1233
<variablelist>
@@ -1221,42 +1239,80 @@ omicron bryanh guest1
1221
1239
</para>
1222
1240
</listitem>
1223
1241
</varlistentry>
1242
+ <varlistentry>
1243
+ <term><literal>ldapport</literal></term>
1244
+ <listitem>
1245
+ <para>
1246
+ Port number on LDAP server to connect to. If no port is specified,
1247
+ the default port in the LDAP library will be used.
1248
+ </para>
1249
+ </listitem>
1250
+ </varlistentry>
1251
+ <varlistentry>
1252
+ <term><literal>ldaptls</literal></term>
1253
+ <listitem>
1254
+ <para>
1255
+ Set to <literal>1</> to make the connection between PostgreSQL and the
1256
+ LDAP server use TLS encryption. Note that this only encrypts
1257
+ the traffic to the LDAP server — the connection to the client
1258
+ will still be unencrypted unless SSL is used.
1259
+ </para>
1260
+ </listitem>
1261
+ </varlistentry>
1224
1262
<varlistentry>
1225
1263
<term><literal>ldapprefix</literal></term>
1226
1264
<listitem>
1227
1265
<para>
1228
- String to prepend to the username when forming the DN to bind as.
1266
+ String to prepend to the username when forming the DN to bind as,
1267
+ when doing simple bind authentication.
1229
1268
</para>
1230
1269
</listitem>
1231
1270
</varlistentry>
1232
1271
<varlistentry>
1233
1272
<term><literal>ldapsuffix</literal></term>
1234
1273
<listitem>
1235
1274
<para>
1236
- String to append to the username when forming the DN to bind as.
1275
+ String to append to the username when forming the DN to bind as,
1276
+ when doing simple bind authentication.
1237
1277
</para>
1238
1278
</listitem>
1239
1279
</varlistentry>
1240
1280
<varlistentry>
1241
- <term><literal>ldapport </literal></term>
1281
+ <term><literal>ldapbasedn </literal></term>
1242
1282
<listitem>
1243
1283
<para>
1244
- Port number on LDAP server to connect to. If no port is specified,
1245
- the default port in the LDAP library will be used .
1284
+ DN to root the search for the user in, when doing search+bind
1285
+ authentication .
1246
1286
</para>
1247
1287
</listitem>
1248
1288
</varlistentry>
1249
1289
<varlistentry>
1250
- <term><literal>ldaptls </literal></term>
1290
+ <term><literal>ldapbinddn </literal></term>
1251
1291
<listitem>
1252
1292
<para>
1253
- Set to <literal>1</> to make the connection between PostgreSQL and the
1254
- LDAP server use TLS encryption. Note that this only encrypts
1255
- the traffic to the LDAP server — the connection to the client
1256
- will still be unencrypted unless SSL is used.
1293
+ DN of user to bind to the directory with to perform the search when
1294
+ doing search+bind authentication.
1257
1295
</para>
1258
1296
</listitem>
1259
1297
</varlistentry>
1298
+ <varlistentry>
1299
+ <term><literal>ldapbindpasswd</literal></term>
1300
+ <listitem>
1301
+ <para>
1302
+ Password for user to bind to the directory with to perform the search
1303
+ when doing search+bind authentication.
1304
+ </para>
1305
+ </listitem>
1306
+ </varlistentry>
1307
+ <varlistentry>
1308
+ <term><literal>ldapsearchattribute</literal></term>
1309
+ <listitem>
1310
+ <para>
1311
+ Attribute to match against the username in the search when doing
1312
+ search+bind authentication.
1313
+ </para>
1314
+ </listitem>
1315
+ </varlistentry>
1260
1316
</variablelist>
1261
1317
</para>
1262
1318
0 commit comments