Chapter 18. Client Authentication

Table of Contents

18.1. The lt_hba.conf File
18.2. User Name Maps
18.3. Authentication Methods
18.4. Trust Authentication
18.5. Password Authentication
18.6. GSSAPI Authentication
18.7. SSPI Authentication
18.8. Ident Authentication
18.9. Peer Authentication
18.10. LDAP Authentication
18.11. RADIUS Authentication
18.12. Certificate Authentication
18.13. PAM Authentication
18.14. BSD Authentication
18.15. Authentication Problems

When a client application connects to the database server, it specifies which LightDB database user name it wants to connect as, much the same way one logs into a Unix computer as a particular user. Within the SQL environment the active database user name determines access privileges to database objects — see Chapter 19 for more information. Therefore, it is essential to restrict which database users can connect.

Note

As explained in Chapter 19, LightDB actually does privilege management in terms of roles. In this chapter, we consistently use database user to mean role with the LOGIN privilege.

Authentication is the process by which the database server establishes the identity of the client, and by extension determines whether the client application (or the user who runs the client application) is permitted to connect with the database user name that was requested.

LightDB offers a number of different client authentication methods. The method used to authenticate a particular client connection can be selected on the basis of (client) host address, database, and user.

LightDB database user names are logically separate from user names of the operating system in which the server runs. If all the users of a particular server also have accounts on the server's machine, it makes sense to assign database user names that match their operating system user names. However, a server that accepts remote connections might have many database users who have no local operating system account, and in such cases there need be no connection between database user names and OS user names.