Add LDAP documentation missed in code patch.

Magnus Hagander
2006-06-16 15:16:16 +00:00 · 2006-06-16 15:16:16 +00:00 · 28b0d6bf62
parent 8fc2a5afa7
commit 28b0d6bf62
2 changed files with 79 additions and 3 deletions
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.89 2006/04/30 21:15:32 tgl Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.90 2006/06/16 15:16:16 momjian Exp $ -->

 <chapter id="client-authentication">
 <title>Client Authentication</title>
@ -372,6 +372,16 @@ hostnossl  <replaceable>database</replaceable>  <replaceable>user</replaceable>
        </listitem>
       </varlistentry>

+       <varlistentry>
+        <term><literal>ldap</></term>
+        <listitem>
+         <para>
+          Authenticate using LDAP to a central server. See <xref
+          linkend="auth-ldap"> for details.
+         </para>
+        </listitem>
+       </varlistentry>
+
       <varlistentry>
        <term><literal>pam</></term>
        <listitem>
@ -896,6 +906,56 @@ omicron       bryanh            guest1
   </sect3>
  </sect2>

+  <sect2 id="auth-ldap">
+   <title>LDAP authentication</title>
+
+   <indexterm zone="auth-ldap">
+    <primary>LDAP</primary>
+   </indexterm>
+
+   <para>
+    This authentication method operates similarly to
+    <literal>password</literal> except that it uses LDAP
+    as the authentication method. LDAP is used only to validate
+    the user name/password pairs. Therefore the user must already
+    exist in the database before LDAP can be used for
+    authentication. The server and parameters used are specified
+    after the <literal>ldap</> key word in the file
+    <filename>pg_hba.conf</filename>. The format of this parameter is:
+    <synopsis>
+ldap[<replaceable>s</>]://<replaceable>servername</>[:<replaceable>port</>]/<replaceable>base dn</replaceable>[;<replaceable>prefix</>[;<replaceable>suffix</>]]
+    </synopsis>
+    for example:
+    <synopsis>
+ldap://ldap.example.net/dc=example,dc=net;EXAMPLE\
+    </synopsis>
+
+   </para>
+   <para>
+    If <literal>ldaps</> is specified instead of <literal>ldap</>,
+    TLS encryption will be enabled for the connection. Note that this
+    will encrypt only the connection between the PostgreSQL server
+    and the LDAP server. The connection between the client and the
+    PostgreSQL server is not affected by this setting. To make use of
+    TLS encryption, you may need to configure the LDAP library prior
+    to configuring PostgreSQL.
+   </para>
+   <para>
+    If no port is specified, the default port as configured in the
+    LDAP library will be used.
+   </para>
+   <para>
+    The server will bind to the distinguished name specified as
+    <replaceable>base dn</> using the username supplied by the client.
+    If <replaceable>prefix</> and <replaceable>suffix</> is 
+    specified, it will be prepended and appended to the username
+    before the bind. Typically, the prefix parameter is used to specify
+    <replaceable>cn=</>, or <replaceable>DOMAIN\</> in an Active
+    Directory environment.
+   </para>
+   
+  </sect2>
+
  <sect2 id="auth-pam">
   <title>PAM authentication</title>

--- a/doc/src/sgml/installation.sgml
+++ b/doc/src/sgml/installation.sgml
@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/installation.sgml,v 1.256 2006/04/25 15:19:16 momjian Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/installation.sgml,v 1.257 2006/06/16 15:16:16 momjian Exp $ -->

 <chapter id="installation">
 <title><![%standalone-include[<productname>PostgreSQL</>]]>
@ -279,7 +279,8 @@ su - postgres

    <listitem>
     <para>
-      <application>Kerberos</>, <productname>OpenSSL</>, and/or
+      <application>Kerberos</>, <productname>OpenSSL</>, 
+      <productname>OpenLDAP</>, and/or
      <application>PAM</>, if you want to support authentication or
      encryption using these services.
     </para>
@ -848,6 +849,21 @@ su - postgres
       </listitem>
      </varlistentry>

+      <varlistentry>
+       <term><option>--with-ldap</option></term>
+       <listitem>
+        <para>
+         Build with <acronym>LDAP</><indexterm><primary>LDAP</></>
+         authentication support. On Unix, this requires the
+         <productname>OpenLDAP</> package to be installed.
+         <filename>configure</> will check for the required header files
+         and libraries to make sure that your <productname>OpenLDAP</>
+         installation is sufficient before proceeding. On Windows,
+         the default <productname>WinLDAP</> library is used.
+        </para>
+       </listitem>
+      </varlistentry>
+
      <varlistentry>
       <term><option>--with-libedit-preferred</option></term>
       <listitem>