Re: Make SSPI documentation clearer

Wed, 27 Sep 2023 16:09:19 -0700 

On Sun, Mar 12, 2023 at 08:36:53PM -0400, Stephen Frost wrote:
> > When the server is on a non-Windows platform then the server must use GSSAPI
> > if it wants to authenticate the client either via Kerberos or via Active
> > Directory. A client on a Windows platform that connects to a non-Windows
> > Postgresql server can either use SSPI (strongly encouraged) or GSS (much
> > more difficult to set up) if it wants to authenticate via Kerberos or Active
> > Directory. A client from a non-Windows platform must use GSS if it wants to
> > authenticate via Kerberos or Active Directory."
> 
> Rather than work in negative, I feel like it might make more sense to
> work in positives?  That is, perhaps this instead:
> 
> On Windows platforms, SSPI is the default and most commonly used
> mechanism.  Note that an SSPI client can authenticate to a server which
> is using either SSPI or GSSAPI, and a GSSAPI client can authenticate to
> a server which is using either SSPI or GSSAPI.  Generally speaking,
> clients and servers on Windows are recommended to use SSPI while clients
> and servers on Unix (non-Windows) platforms use GSSAPI.

I developed the attached patch.

-- 
  Bruce Momjian  <[email protected]>        https://momjian.us
  EDB                                      https://enterprisedb.com

  Only you can decide what is important to you.

diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
new file mode 100644
index a72f80f..fa53a0f
*** a/doc/src/sgml/client-auth.sgml
--- b/doc/src/sgml/client-auth.sgml
*************** omicron         bryanh
*** 1505,1514 ****
      <literal>negotiate</literal> mode, which will use
      <productname>Kerberos</productname> when possible and automatically
      fall back to <productname>NTLM</productname> in other cases.
!     <productname>SSPI</productname> authentication only works when both
!     server and client are running <productname>Windows</productname>,
!     or, on non-Windows platforms, when <productname>GSSAPI</productname>
!     is available.
     </para>
  
     <para>
--- 1505,1514 ----
      <literal>negotiate</literal> mode, which will use
      <productname>Kerberos</productname> when possible and automatically
      fall back to <productname>NTLM</productname> in other cases.
!     <productname>SSPI</productname> and <productname>GSSAPI</productname>
!     interoperate as clients and servers.  It is recommended to use
!     <productname>SSPI</productname> on Windows clients and servers and
!     <productname>GSSAPI</productname> on non-Windows platforms.
     </para>
  
     <para>

Reply via email to