婋麵䔇償誗敘臥䂖婄柟誄螴臕桹濘㔗
套悩弄滯庖 trust 螴臕昇嚟PostgreSQL 儌啺螆傂嘘埇傖誂毖彄橉媇単䔇庺鄘埇傖傖傂嘘傡弄滯䔇昄扞康䫘潙劉(寙拸轙亓䫘潙)誂毖㔗嘷䇽婘 database 启 user 庖枕麯麵䔇鍊彽傉䇽锗䫘㔗認婻桹濘庫臖䫘庯闼底婘誂毖彄橉媇単噾䂟橬轿崘淉嘩係䂘北渇媺檴䔇䯇嵄麯㔗
trust 螴臕凹庯剘䫘潙噖嘩䆍䔇橸婄誂毖滇麂婩劽锗启桹冪䔇㔗锔婩垄橸躆幽婉锗䫘庯崔䫘潙䯇嵄䔇橺単㔗婉誺剿嘪婘崔䫘潙䔇橺単婪嘹幘埇傖嘪䫘 trust 埻襕嘹彷䫘桺傽係䂘溄鍊鍊彽庖凹橉媇単䔇 Unix 嘘喖毖庖桺傽䔇螪閞㔗襕啔認底鍊彽嘹埇傖螆䘞 unix_socket_permissions 埗昄(傖埪埇脘誻橬 unix_socket_group)儌償誗17.3麯柟誄䔇闼湙㔗潡蔙嘹埇傖螆䘞 unix_socket_directory 檪 Unix 嘘喖毖庖桺傽櫆婘婔婻䂟誺敄嘷鍊彽䔇䕞嘘麯㔗
螆䘞桺傽係䂘溄鍊埻脘婞媷 Unix 喖毖庖誂毖垄婉嚔鍊彽橸婄 TCP/IP 誂毖㔗啹溴套悩嘹愿彷䫘桺傽係䂘溄鍊準毓彽橸婄垬噘闼幽役鍴 pg_hba.conf 桺傽婺䔇 host ... 127.0.0.1 ... 臯潡蔙檪垄櫹婺婔婻麂 trust 䔇螴臕桹濘㔗
trust 螴臕昇嚟埻锗劽 TCP/IP 誂毖埻橬婘嘹媇傂闼底 trust 臯婪欔橬橺単婺䔇欔橬䫘潙䔇施唍欉滇劽锗䔇㔗冽儏橬䊖䫌嘪䫘 trust 嘩婺傂嘘鍴準躻 localhost(127.0.0.1) 傖崡䔇 TCP/IP 誂毖䔇螴臕桹嚟㔗
傖埼傴婺嘺䇔䔇螴臕桹濘寙拸 md5, crypt, password 㔗認底桹濘淉嘩婪麂婩䌂嚚埻婉誺埼傴锔誺誂毖嚹锕䔇桹濘婉劯MD5 昼彖㔕crypt 媹凖㔕滯桺㔗婔婻鍊彽滇 crypt 婉脘嘪䫘庻嗘婘 pg_authid 婺噾媹凖䔇埼傴㔗
套悩嘹拙媄埼傴赆仄劸闼幽 md5 懫膄劽锗埻橬婘嘹媙驔櫇毕 7.2 傖嬉䔇蔕䔇垵潙䆇䔇施唍欉驔襕锬 crypt 㔗套悩潏傸婘嚔櫆䔇庐蕫䘏婪嘪䫘庫臖儘埇脘镪噉嘪䫘 password(鍴麂嘹婘誂毖婪嘪䫘庖 SSL/SSH 潡噽垄锔螇垬噘䔇誂毖儕輙)㔗
PostgreSQL 昄扞康埼傴婯傂嘘淉嘩係䂘䫘潙埼傴方噿㔗劇婻昄扞康䫘潙䔇埼傴滇庻嗘婘 pg_authid 係䂘臘麯麵㔗埼傴埇傖䫘 SQL 臺蘔变傴 CREATE USER 启 ALTER USER 京䞇䊖(懫套 CREATE USER foo WITH PASSWORD 'secret'; 㔗䚺䩕施套悩澇橬滯䇞螆䘞埼傴闼幽庻嗘䔇埼傴滇䷺幽婫臖䫘潙䔇埼傴螴臕攂嚔崌蘖㔗
Kerberos 滇婔䓉锗䫘庯婘噸噌䘏䂩婪誕臯彖婄螇䞖䔇噖婔湺庖䔇垬噘螴臕係䂘㔗凹 Kerberos 係䂘䔇埍誄誩誩轙庺庖橸桺懼䔇评啘攂䔇臘準垄滇䕩嘷崉溗(劯湙幘䕩嘷嚺崓)䔇係䂘㔗Kerberos FAQ 潡 MIT Kerberos page 滇婻嚔哋庥幹䔇喘婄桹㔗䯄庻婘喘庹䓉 Kerberos 埏婄䔇溊傼乕㔗Kerberos 埻柊冕垬噘螴臕嘖幽婉媹凖婘䘏䂩婪嚹膷䔇昖臵启昄扞SSL 埇傖䫘庯認婻䕞䔇㔗
PostgreSQL 櫇毕 Kerberos 5 Kerberos 櫇毕媙釂婘䚡臏䔇施唍欷嚔㔗埗黙䆹14诙埡敘崔媇敇㔗
PostgreSQL 誊臯施償婔婻捞锔䔇 Kerberos 橉媇㔗橉媇婂䔇劉庖滇 servicename/hostname@realm 㔗
servicename 埇傖䫘 krb_srvname 陉䘞埗昄婘橉媇単䆇螆䘞潡蔙婘垵潙䆇嘪䫘 krbsrvname 誂毖埗昄螆䘞(埽蓕誗29.1)㔗䚡臏䔇施唍埇傖檪垬輙施䔇䚺䩕 postgres 媞櫹毬桹濘滇嘪䫘 ./configure --with-krb-srvnam=whatever 㔗婘崓崔昄愙喕婋潏傸婉驔襕媞櫹認婻埗昄㔗嘖滇套悩驔襕婘劯婔埄婂橺婪劯施垬輙崔喖 PostgreSQL 闼幽認婻儌滇媙釂䔇庖㔗橬底 Kerberos 垂䯄誻埇脘襕挗噽垄䔇橉媇劉懫套 Microsoft Active Directory 儌襕挗橉媇劉媙釂滇崓喍䔇(POSTGRES)㔗
hostname 滇橉媇単䔇噘鍊垔婂橺劉㔗橉媇婂䔇鵖嘘儌滇婂橺䔇饡锬鵖嘘㔗
垵潙婂躻噌媙釂䫘垄傸躻噌䔇 PostgreSQL 䫘潙劉嘩婺丸婔婻鄘傽懫套 pgusername/otherstuff@realm 㔗䕞嬉 PostgreSQL 澇橬演昖垵潙䔇嘘啹溴套悩嘹欷嚔庖虘嘘䔇螴臕闼幽婘傂懟嘘麯傂嘘埇傖启嘹锔螇䔇婂鄘嚔赆毖埖㔗
䇞螴橉媇単䔇凖鐖臘桺傽滇埇傖赆 PostgreSQL 橉媇単婊潙臂埡(橔喘儌滇埻臂䔇)(埽蓕誗16.1)凖鐖桺傽(keytab)䔇嘉䘞滇䫘陉䘞埗昄 krb_server_keyfile 弄滯䔇㔗䚺䩕滇 /usr/local/pgsql/etc/krb5.keytab(潡蔙傂嘘婘䚡臏䔇施唍弄滯婺 sysconfdir 䔇䕞嘘)㔗
凖鐖臘桺傽(keytab)滇婘 Kerberos 蘇傽麯䫘潊䔇埗黙 Kerberos 桺懼诙埡䂖誗㔗婋麵䔇冋床滇埇傖䫘庯 MIT 噚垹䔇 Kerberos 5 垂䯄
kadmin% ank -randkey postgres/server.my.domain.org kadmin% ktadd -k krb5.keytab postgres/server.my.domain.org
婘启昄扞康誂毖䔇施唍臙䇞媺躻噌凹懟婻婂鄘拖橬婔嚹对陉欔臙挗䔇昄扞康䫘潙劉䔇閘䖘㔗懫套凹庯昄扞康䫘潙 fred 婂 fred@EXAMPLE.COM 启 fred/users.example.com@EXAMPLE.COM 鄘埇傖䫘庯婯昄扞康橉媇単螴臕㔗
套悩嘹婘 Apache 橉媇単婪嘪䫘庖 mod_auth_kerb 启 mod_perl 昇庖嘹埇傖䫘婔婻 mod_perl 臔橸誕臯 AuthType KerberosV5SaveCredentials 㔗認湙儌橬庖婔婻锔誺 web 䔇垬噘昄扞康螪閞婉驔襕鵺崡䔇埼傴㔗
ident 螴臕桹濘滇锔誺诙埡垵潙䆇䔇淉嘩係䂘䫘潙劉䇽劯嘪䫘婔婻螄嘘庖係䂘䫘潙婯昄扞康䫘潙凹庫噿係䔇滹儇桺傽彴桺凹庫螩埇䔇昄扞康䫘潙劉䔇桹濘準螴臕㔗彴桺垵潙䆇䔇䫘潙劉滇麂婩噿髞䔇垬噘䗹湹扞誂毖䌂傋䔇婉劯垄䔇垂䯄桹濘幘䘖橬婉劯㔗
"Identification Protocol"(湺臖剟螞)婘 RFC 1413 麯麵柟誄㔗垂鍙婪懟婻䌂 Unix 䔇淉嘩係䂘鄘婥五婔婻䚺䩕施冥劸 113 䆇埼䔇躆傘橉媇単㔗躆傘橉媇単䔇嘺橸媘脘滇啂享䌂嚚認湙䔇閞鵻 "滇傔幽䫘潙傯嘹䔇䆇埼 X 彺哋寡庺準誂毖彄潏䔇䆇埼 Y 婪準庖?" 㔗啹婺婘傺䆋蕙䬷䊖誂毖劯PostgreSQL 斵䘖長 X 幘䘖長 Y 啹溴垄埇傖臵閞誊臯儺臘誂毖䔇垵潙䆇䔇婂橺幽婫䊖螺婪埇傖䫘認婻桹濘彴桺埏蕙誂毖䔇淉嘩係䂘䫘潙㔗
認湙啔䔇䚺䗹滇垄埡喿庯垵潙䆇䔇垯昘攓套悩垵潙䆇婉埇媇潡蔙赆櫂庂蔙櫂乘蔯婫垄傸埇傖婘 113 䆇埼婪誊臯傂嘘䘋废幽婫誫啂傡傸锬拷䔇傂嘘䫘潙䔇臺儌方濘螴臕庖㔗啹溴認婻螴臕桹濘埻锗䫘庯儕閺䔇䘏䂩認湙䔇䘏䂩麯䔇懟埄垵潙橺鄘崇庯婖凖䔇毓彽婋幽婫昄扞康启淉嘩係䂘䞇䊖叻埇傖懫膄桹冪婄蕫係婪㔗扵埖臺臘嘹媙釂媇傂誊臯躆傘(ident)橉媇䔇橺単㔗婋麵滇躥只
躆傘湺臖剟螞幽婉锗䫘庯螴臕潡蔙螪閞毓彽剟螞㔗 | ||
| --RFC 1413 | ||
橬底躆傘橉媇単橬婔婻麂湺庖䔇锬釹凚躘誫啂䔇䫘潙劉滇媹凖䔇嘪䫘䔇滇埻橬寘橺単䔇䞇䊖叻䘖長䔇婔婻凖鐖㔗婘婯 PostgreSQL 陉劽嘪䫘躆傘螴臕䔇施唍嘹婔垔婉脘嘪䫘認婻锬釹啹婺 PostgreSQL 澇橬傂嘘桹濘凹誫啂䔇庖严婾誕臯蓼凖傖诙埡垂鍙䔇䫘潙劉㔗
婘櫇毕䫘庯 Unix 嘘喖毖庖䔇 SO_PEERCRED 臙挗䔇係䂘婪(Linux, FreeBSD, NetBSD, OpenBSD, BSD/OS)躆傘螴臕幘埇傖䫘庯匔鄘誂毖㔗認婻施唍嘪䫘躆傘螴臕婉嚔嵂媹垬噘鼯鍷垂鍙婪認幘滇婘認䓉係䂘婪嘪䫘橸婄誂毖施䔇饡锬桹濘㔗
婘澇橬 SO_PEERCRED 挗䔇係䂘婪躆傘螴臕埻脘锔誺 TCP/IP 誂毖诙埡㔗套悩驔襕䂘嚔認婻鍊彽潏傸埇傖弄滯 localhost 婄应 127.0.0.1 䇽劯螷誂毖毺劏認婻婄应㔗認婻桹濘锗䫘庯嘹媇傂橸橺躆傘螴臕橉媇単䔇婺劽㔗
嘷嘪䫘傖躆傘婺嘺䇔䔇螴臕施婘彴桺庖彺哋寡誂毖䔇淉嘩係䂘䫘潙劉劯PostgreSQL 彴桺傡滇劥埇傖傖傡欔臙挗䔇昄扞康䫘潙䔇躆傘誂毖㔗認婻彴桺滇䫌虘婘 pg_hba.conf 桺傽麯䔇 ident 噿髞庖劯麵䔇躆傘滹儇毓彽䔇㔗橬婔婻鵇垔幬䔇躆傘滹儇滇 sameuser 臘䴺傂嘘淉嘩係䂘䫘潙鄘埇傖傖劯劉昄扞康䫘潙誕臯誂毖(套悩劯蔙庻婘䔇臺)㔗噽垄滹儇媙釂欋噖录傺㔗
麂 sameuser 䔇躆傘滹儇垔幬婘躆傘滹儇桺傽(䚺䩕劉 pg_ident.conf)麯幽婫䚺䩕庻櫆婘镖䆴䔇昄扞䕞嘘麯㔗婉誺潏傸幘埇傖檪滹儇桺傽櫆婘噽垄婄桹埗黙 ident_file 陉䘞埗昄㔗躆傘滹儇桺傽寙劆婋麵锔䫘䔇湚嚟
map-name ident-username database-username
濘麪启䷺䍘婯 pg_hba.conf 桺傽麯䔇婔湙崇䊖㔗map-name 滇儖䫘庯婘 pg_hba.conf 麯嚘䫘認婻滹儇䔇傂懟劉䓄㔗埥崡婴婻嘘弄滯昊婻淉嘩係䂘䫘潙赆噕螩傖巻婻昄扞康䫘潙䔇躆傘誕臯誂毖㔗劯婔婻 map-name 埇傖麉崉䫘庯婘婔婻滹儇麯弄滯敘崔䔇䫘潙滹儇㔗凹婔婻淉嘩係䂘䫘潙埇傖滹儇婺崔儏婻昄扞康䫘潙澇橬鍊彽埉幋庥䇽㔗
婘係䂘劇媘启婂橉媇単櫽彄婔婻 SIGHUP 媇埙䔇施唍嚔臂埡 pg_ident.conf 桺傽㔗套悩嘹婘婔埄昂虄䔇係䂘婪䚡膏臖桺傽闼幽嘹驔襕䂍婂橉媇単埏媇埙(嘪䫘 pg_ctl reload 潡 kill -HUP)傴噽麉桄臂埡臖桺傽㔗
冋20-1麯滇婔婻埇傖启婘冋20-2麯麵暫䴺䔇 pg_ident.conf 桺傽陉劽嘪䫘䔇 pg_hba.conf 桺傽㔗婘認婻冋床䔇螆䘞麯傂嘘䍂嘘彄 192.168 䘏䂩麯䔇橺単䔇䫘潙套悩䫘潙劉婉滇 bryanh, ann, robert 儌婉脘诙庖螪閞㔗Unix 䫘潙 robert 埻橬婘臘商傖 PostgreSQL 䫘潙 bob 躆傘誂毖施欉噕螩螪閞蔯婉脘滇 robert 潡噽垄傔幽躆傘㔗ann 儖埻噕螩傖 ann 䔇躆傘誂毖㔗䫘潙 bryanh 噕螩傖傡躻噌䔇 bryanh 躆傘潡蔙嘩婺 guest1 誕臯誂毖㔗
認婻螴臕桹濘淉嘩蕙準䌂嚚 password 埻婉誺垄嘪䫘 LDAP 嘩婺螴臕橺彽㔗LDAP 埻䫘庯黯臕䫘潙劉/埼傴凹㔗啹溴婘嘪䫘 LDAP 誕臯螴臕幋嬉䫘潙媙釂噾䂟庻婘庯昄扞康麯㔗嘹埇傖婘 pg_hba.conf 桺傽䔇 ldap 噿髞庖劯麵柊冕躻噌䔇埇锬橉媇劉㔗臖埗昄䔇湚嚟套婋
ldap[s]://servername[:port]/base dn[;prefix[;suffix]]
冋套
ldap://ldap.example.net/dc=example,dc=net;EXAMPLE\
套悩毺垔庖 ldaps 蔯婉滇 ldap 闼幽儖嘪䫘 TLS 媹凖誂毖㔗驔襕濘懟䔇滇認備備媹凖 PostgreSQL 橉媇単婯 LDAP 橉媇単幋閘䔇誂毖㔗垵潙䆇婯 PostgreSQL 橉媇単幋閘幽婉埖溴嘌巉㔗襕嘪䫘 TLS 媹凖嘹驔襕婘陉䘞 PostgreSQL 幋嬉噽陉䘞喘 LDAP 康㔗媹凖 LDAP 備婘广埄䔇 LDAP 康櫇毕䔇愙喕婋欉埇䫘㔗
套悩澇橬毺垔䆇埼儖嘪䫘 LDAP 康邻螴䔇䆇埼㔗
橉媇単儖嘪䫘垵潙䆇柊冕䔇䫘潙劉䂏垔彄 base dn 毺垔䔇臖彆劉(Distinguished Name)婪㔗套悩毺垔庖 prefix 启 suffix 闼幽儖婘闥垔幋嬉赆嬉䚔/劯䚔彄䫘潙劉婪㔗锔婩嬉䚔埗昄䫘庯婘昂媘䕞嘘䯇嵄婺毺垔 cn=, DOMAIN\ 㔗
認婻螴臕桹濘淉嘩蕙準䌂嚚 password 埻婉誺垄嘪䫘 PAM 嘩婺螴臕橺彽㔗䚺䩕䔇 PAM 橉媇劉滇 postgresql 㔗嘹埇傖婘 pg_hba.conf 桺傽䔇 pam 噿髞庖劯麵柊冕躻噌䔇埇锬橉媇劉㔗PAM 埻䫘庯黯臕䫘潙劉/埼傴凹㔗啹溴婘嘪䫘 PAM 誕臯螴臕幋嬉䫘潙媙釂噾䂟庻婘庯昄扞康麯㔗橬噿 PAM 䔇敘崔媇敇臙黙臂 Linux-PAM 釕麵 启 Solaris PAM 釕麵㔗