Re: Make SSPI documentation clearer

Thu, 28 Sep 2023 06:56:07 -0700 

On Wed, Sep 27, 2023 at 07:09:02PM -0400, Bruce Momjian wrote:
> On Sun, Mar 12, 2023 at 08:36:53PM -0400, Stephen Frost wrote:
> > > When the server is on a non-Windows platform then the server must use 
> > > GSSAPI
> > > if it wants to authenticate the client either via Kerberos or via Active
> > > Directory. A client on a Windows platform that connects to a non-Windows
> > > Postgresql server can either use SSPI (strongly encouraged) or GSS (much
> > > more difficult to set up) if it wants to authenticate via Kerberos or 
> > > Active
> > > Directory. A client from a non-Windows platform must use GSS if it wants 
> > > to
> > > authenticate via Kerberos or Active Directory."
> > 
> > Rather than work in negative, I feel like it might make more sense to
> > work in positives?  That is, perhaps this instead:
> > 
> > On Windows platforms, SSPI is the default and most commonly used
> > mechanism.  Note that an SSPI client can authenticate to a server which
> > is using either SSPI or GSSAPI, and a GSSAPI client can authenticate to
> > a server which is using either SSPI or GSSAPI.  Generally speaking,
> > clients and servers on Windows are recommended to use SSPI while clients
> > and servers on Unix (non-Windows) platforms use GSSAPI.
> 
> I developed the attached patch.

My first attempt was too terse, so here is a more detailed version,
attached.

-- 
  Bruce Momjian  <br...@momjian.us>        https://momjian.us
  EDB                                      https://enterprisedb.com

  Only you can decide what is important to you.

diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index a72f80f033..9d1e7d63ef 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -1505,10 +1505,12 @@ omicron         bryanh                  guest1
     <literal>negotiate</literal> mode, which will use
     <productname>Kerberos</productname> when possible and automatically
     fall back to <productname>NTLM</productname> in other cases.
-    <productname>SSPI</productname> authentication only works when both
-    server and client are running <productname>Windows</productname>,
-    or, on non-Windows platforms, when <productname>GSSAPI</productname>
-    is available.
+    <productname>SSPI</productname> and <productname>GSSAPI</productname>
+    interoperate as clients and servers, e.g., an
+    <productname>SSPI</productname> client can authenticate to an
+    <productname>GSSAPI</productname> server.  It is recommended to use
+    <productname>SSPI</productname> on Windows clients and servers and
+    <productname>GSSAPI</productname> on non-Windows platforms.
    </para>
 
    <para>

Reply via email to