1996-10-11 11:12:18 +02:00
|
|
|
/*-------------------------------------------------------------------------
|
|
|
|
*
|
1999-02-14 00:22:53 +01:00
|
|
|
* hba.h
|
1997-09-07 07:04:48 +02:00
|
|
|
* Interface to hba.c
|
1996-10-11 11:12:18 +02:00
|
|
|
*
|
|
|
|
*
|
2010-09-20 22:08:53 +02:00
|
|
|
* src/include/libpq/hba.h
|
1996-10-11 11:12:18 +02:00
|
|
|
*
|
|
|
|
*-------------------------------------------------------------------------
|
|
|
|
*/
|
|
|
|
#ifndef HBA_H
|
1997-09-07 07:04:48 +02:00
|
|
|
#define HBA_H
|
1996-10-11 11:12:18 +02:00
|
|
|
|
2012-06-10 21:20:04 +02:00
|
|
|
#include "libpq/pqcomm.h" /* pgrminclude ignore */ /* needed for NetBSD */
|
2002-04-04 06:25:54 +02:00
|
|
|
#include "nodes/pg_list.h"
|
Parse pg_ident.conf when it's loaded, keeping it in memory in parsed format.
Similar changes were done to pg_hba.conf earlier already, this commit makes
pg_ident.conf to behave the same as pg_hba.conf.
This has two user-visible effects. First, if pg_ident.conf contains multiple
errors, the whole file is parsed at postmaster startup time and all the
errors are immediately reported. Before this patch, the file was parsed and
the errors were reported only when someone tries to connect using an
authentication method that uses the file, and the parsing stopped on first
error. Second, if you SIGHUP to reload the config files, and the new
pg_ident.conf file contains an error, the error is logged but the old file
stays in effect.
Also, regular expressions in pg_ident.conf are now compiled only once when
the file is loaded, rather than every time the a user is authenticated. That
should speed up authentication if you have a lot of regexps in the file.
Amit Kapila
2012-09-21 16:41:22 +02:00
|
|
|
#include "regex/regex.h"
|
2002-04-04 06:25:54 +02:00
|
|
|
|
2005-02-26 19:43:34 +01:00
|
|
|
|
1998-02-26 05:46:47 +01:00
|
|
|
typedef enum UserAuth
|
|
|
|
{
|
2001-10-28 07:26:15 +01:00
|
|
|
uaReject,
|
2010-04-19 21:02:18 +02:00
|
|
|
uaImplicitReject,
|
2001-10-28 07:26:15 +01:00
|
|
|
uaTrust,
|
|
|
|
uaIdent,
|
|
|
|
uaPassword,
|
2007-07-10 15:14:22 +02:00
|
|
|
uaMD5,
|
2007-07-23 12:16:54 +02:00
|
|
|
uaGSS,
|
2008-10-23 15:31:10 +02:00
|
|
|
uaSSPI,
|
|
|
|
uaPAM,
|
2008-11-20 12:48:26 +01:00
|
|
|
uaLDAP,
|
2010-01-27 13:12:00 +01:00
|
|
|
uaCert,
|
2011-03-19 18:44:35 +01:00
|
|
|
uaRADIUS,
|
|
|
|
uaPeer
|
1998-01-26 02:42:53 +01:00
|
|
|
} UserAuth;
|
|
|
|
|
2009-10-01 03:58:58 +02:00
|
|
|
typedef enum IPCompareMethod
|
|
|
|
{
|
|
|
|
ipCmpMask,
|
|
|
|
ipCmpSameHost,
|
2010-10-18 21:14:47 +02:00
|
|
|
ipCmpSameNet,
|
|
|
|
ipCmpAll
|
2009-10-01 03:58:58 +02:00
|
|
|
} IPCompareMethod;
|
|
|
|
|
2008-09-15 14:32:57 +02:00
|
|
|
typedef enum ConnType
|
|
|
|
{
|
|
|
|
ctLocal,
|
|
|
|
ctHost,
|
|
|
|
ctHostSSL,
|
|
|
|
ctHostNoSSL
|
|
|
|
} ConnType;
|
|
|
|
|
2011-06-20 23:20:14 +02:00
|
|
|
typedef struct HbaLine
|
2008-09-15 14:32:57 +02:00
|
|
|
{
|
|
|
|
int linenumber;
|
2013-03-10 15:54:37 +01:00
|
|
|
char *rawline;
|
2008-09-15 14:32:57 +02:00
|
|
|
ConnType conntype;
|
2011-06-20 23:20:14 +02:00
|
|
|
List *databases;
|
|
|
|
List *roles;
|
2008-09-15 14:32:57 +02:00
|
|
|
struct sockaddr_storage addr;
|
|
|
|
struct sockaddr_storage mask;
|
2009-10-01 03:58:58 +02:00
|
|
|
IPCompareMethod ip_cmp_method;
|
2010-10-15 21:53:39 +02:00
|
|
|
char *hostname;
|
2008-09-15 14:32:57 +02:00
|
|
|
UserAuth auth_method;
|
2008-10-23 15:31:10 +02:00
|
|
|
|
2008-09-15 14:32:57 +02:00
|
|
|
char *usermap;
|
2008-10-23 15:31:10 +02:00
|
|
|
char *pamservice;
|
2016-04-08 16:45:16 +02:00
|
|
|
bool pam_use_hostname;
|
2008-10-23 15:31:10 +02:00
|
|
|
bool ldaptls;
|
|
|
|
char *ldapserver;
|
|
|
|
int ldapport;
|
2009-12-12 22:35:21 +01:00
|
|
|
char *ldapbinddn;
|
|
|
|
char *ldapbindpasswd;
|
|
|
|
char *ldapsearchattribute;
|
|
|
|
char *ldapbasedn;
|
2012-12-04 05:29:56 +01:00
|
|
|
int ldapscope;
|
2008-10-23 15:31:10 +02:00
|
|
|
char *ldapprefix;
|
|
|
|
char *ldapsuffix;
|
2008-11-20 10:29:36 +01:00
|
|
|
bool clientcert;
|
2009-01-07 13:38:11 +01:00
|
|
|
char *krb_realm;
|
2009-01-07 14:09:21 +01:00
|
|
|
bool include_realm;
|
2010-01-27 13:12:00 +01:00
|
|
|
char *radiusserver;
|
|
|
|
char *radiussecret;
|
|
|
|
char *radiusidentifier;
|
|
|
|
int radiusport;
|
2008-09-15 14:32:57 +02:00
|
|
|
} HbaLine;
|
|
|
|
|
Parse pg_ident.conf when it's loaded, keeping it in memory in parsed format.
Similar changes were done to pg_hba.conf earlier already, this commit makes
pg_ident.conf to behave the same as pg_hba.conf.
This has two user-visible effects. First, if pg_ident.conf contains multiple
errors, the whole file is parsed at postmaster startup time and all the
errors are immediately reported. Before this patch, the file was parsed and
the errors were reported only when someone tries to connect using an
authentication method that uses the file, and the parsing stopped on first
error. Second, if you SIGHUP to reload the config files, and the new
pg_ident.conf file contains an error, the error is logged but the old file
stays in effect.
Also, regular expressions in pg_ident.conf are now compiled only once when
the file is loaded, rather than every time the a user is authenticated. That
should speed up authentication if you have a lot of regexps in the file.
Amit Kapila
2012-09-21 16:41:22 +02:00
|
|
|
typedef struct IdentLine
|
|
|
|
{
|
2013-05-29 22:58:43 +02:00
|
|
|
int linenumber;
|
Parse pg_ident.conf when it's loaded, keeping it in memory in parsed format.
Similar changes were done to pg_hba.conf earlier already, this commit makes
pg_ident.conf to behave the same as pg_hba.conf.
This has two user-visible effects. First, if pg_ident.conf contains multiple
errors, the whole file is parsed at postmaster startup time and all the
errors are immediately reported. Before this patch, the file was parsed and
the errors were reported only when someone tries to connect using an
authentication method that uses the file, and the parsing stopped on first
error. Second, if you SIGHUP to reload the config files, and the new
pg_ident.conf file contains an error, the error is logged but the old file
stays in effect.
Also, regular expressions in pg_ident.conf are now compiled only once when
the file is loaded, rather than every time the a user is authenticated. That
should speed up authentication if you have a lot of regexps in the file.
Amit Kapila
2012-09-21 16:41:22 +02:00
|
|
|
|
|
|
|
char *usermap;
|
|
|
|
char *ident_user;
|
|
|
|
char *pg_role;
|
2013-05-29 22:58:43 +02:00
|
|
|
regex_t re;
|
Parse pg_ident.conf when it's loaded, keeping it in memory in parsed format.
Similar changes were done to pg_hba.conf earlier already, this commit makes
pg_ident.conf to behave the same as pg_hba.conf.
This has two user-visible effects. First, if pg_ident.conf contains multiple
errors, the whole file is parsed at postmaster startup time and all the
errors are immediately reported. Before this patch, the file was parsed and
the errors were reported only when someone tries to connect using an
authentication method that uses the file, and the parsing stopped on first
error. Second, if you SIGHUP to reload the config files, and the new
pg_ident.conf file contains an error, the error is logged but the old file
stays in effect.
Also, regular expressions in pg_ident.conf are now compiled only once when
the file is loaded, rather than every time the a user is authenticated. That
should speed up authentication if you have a lot of regexps in the file.
Amit Kapila
2012-09-21 16:41:22 +02:00
|
|
|
} IdentLine;
|
|
|
|
|
2009-08-29 21:26:52 +02:00
|
|
|
/* kluge to avoid including libpq/libpq-be.h here */
|
1999-09-27 05:13:16 +02:00
|
|
|
typedef struct Port hbaPort;
|
|
|
|
|
2008-09-15 14:32:57 +02:00
|
|
|
extern bool load_hba(void);
|
Parse pg_ident.conf when it's loaded, keeping it in memory in parsed format.
Similar changes were done to pg_hba.conf earlier already, this commit makes
pg_ident.conf to behave the same as pg_hba.conf.
This has two user-visible effects. First, if pg_ident.conf contains multiple
errors, the whole file is parsed at postmaster startup time and all the
errors are immediately reported. Before this patch, the file was parsed and
the errors were reported only when someone tries to connect using an
authentication method that uses the file, and the parsing stopped on first
error. Second, if you SIGHUP to reload the config files, and the new
pg_ident.conf file contains an error, the error is logged but the old file
stays in effect.
Also, regular expressions in pg_ident.conf are now compiled only once when
the file is loaded, rather than every time the a user is authenticated. That
should speed up authentication if you have a lot of regexps in the file.
Amit Kapila
2012-09-21 16:41:22 +02:00
|
|
|
extern bool load_ident(void);
|
2011-06-20 23:20:14 +02:00
|
|
|
extern void hba_getauthmethod(hbaPort *port);
|
2009-06-11 16:49:15 +02:00
|
|
|
extern int check_usermap(const char *usermap_name,
|
|
|
|
const char *pg_role, const char *auth_user,
|
|
|
|
bool case_sensitive);
|
2008-08-01 11:09:49 +02:00
|
|
|
extern bool pg_isblank(const char c);
|
2001-10-28 07:26:15 +01:00
|
|
|
|
2005-10-15 04:49:52 +02:00
|
|
|
#endif /* HBA_H */
|