File: runtime-config-connection.html

package info (click to toggle)
pgadmin3 1.4.3-2
  • links: PTS
  • area: main
  • in suites: etch, etch-m68k
  • size: 29,796 kB
  • ctags: 10,758
  • sloc: cpp: 55,356; sh: 6,164; ansic: 1,520; makefile: 576; sql: 482; xml: 100; perl: 18
file content (259 lines) | stat: -rw-r--r-- 14,940 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
 
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>17.3.Connections and Authentication</title>
<link rel="stylesheet" href="stylesheet.css" type="text/css">
<link rev="made" href="pgsql-docs@postgresql.org">
<meta name="generator" content="DocBook XSL Stylesheets V1.70.0">
<link rel="start" href="index.html" title="PostgreSQL 8.1.4 Documentation">
<link rel="up" href="runtime-config.html" title="Chapter17.Server Configuration">
<link rel="prev" href="runtime-config-file-locations.html" title="17.2.File Locations">
<link rel="next" href="runtime-config-resource.html" title="17.4.Resource Consumption">
<link rel="copyright" href="ln-legalnotice.html" title="Legal Notice">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="runtime-config-connection"></a>17.3.Connections and Authentication</h2></div></div></div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="runtime-config-connection-settings"></a>17.3.1.Connection Settings</h3></div></div></div>
<div class="variablelist"><dl>
<dt>
<a name="guc-listen-addresses"></a><span class="term"><code class="varname">listen_addresses</code> (<code class="type">string</code>)</span>
</dt>
<dd><p>         Specifies the TCP/IP address(es) on which the server is
         to listen for connections from client applications.  
         The value takes the form of a comma-separated list of host names
         and/or numeric IP addresses.  The special entry <code class="literal">*</code>
         corresponds to all available IP interfaces.
         If the list is empty, the server does not listen on any IP interface
         at all, in which case only Unix-domain sockets can be used to connect
         to it.
         The default value is <span class="systemitem">localhost</span>,
         which allows only local &#8220;<span class="quote">loopback</span>&#8221; connections to be made.
         This parameter can only be set at server start.
       </p></dd>
<dt>
<a name="guc-port"></a><span class="term"><code class="varname">port</code> (<code class="type">integer</code>)</span>
</dt>
<dd><p>        The TCP port the server listens on; 5432 by default.  Note that the
        same port number is used for all IP addresses the server listens on.
        This parameter can only be set at server start.
       </p></dd>
<dt>
<a name="guc-max-connections"></a><span class="term"><code class="varname">max_connections</code> (<code class="type">integer</code>)</span>
</dt>
<dd>
<p>        Determines the maximum number of concurrent connections to the
        database server. The default is typically 100, but may be less
        if your kernel settings will not support it (as determined
        during <span class="application">initdb</span>).  This parameter can only be
        set at server start.
       </p>
<p>        Increasing this parameter may cause <span class="productname">PostgreSQL</span>
        to request more <span class="systemitem">System V</span> shared
        memory or semaphores than your operating system's default configuration
        allows. See <a href="kernel-resources.html#sysvipc" title="16.4.1.Shared Memory and Semaphores">Section16.4.1, &#8220;Shared Memory and Semaphores&#8221;</a> for information on how to
        adjust those parameters, if necessary.
       </p>
</dd>
<dt>
<a name="guc-superuser-reserved-connections"></a><span class="term"><code class="varname">superuser_reserved_connections</code>
      (<code class="type">integer</code>)</span>
</dt>
<dd>
<p>        Determines the number of connection &#8220;<span class="quote">slots</span>&#8221; that
        are reserved for connections by <span class="productname">PostgreSQL</span>
        superusers.  At most <a href="runtime-config-connection.html#guc-max-connections">max_connections</a>
        connections can ever be active simultaneously.  Whenever the
        number of active concurrent connections is at least
        <code class="varname">max_connections</code> minus
        <code class="varname">superuser_reserved_connections</code>, new
        connections will be accepted only for superusers.
       </p>
<p>        The default value is 2. The value must be less than the value of
        <code class="varname">max_connections</code>. This parameter can only be
        set at server start.
       </p>
</dd>
<dt>
<a name="guc-unix-socket-directory"></a><span class="term"><code class="varname">unix_socket_directory</code> (<code class="type">string</code>)</span>
</dt>
<dd><p>        Specifies the directory of the Unix-domain socket on which the
        server is to listen for
        connections from client applications.  The default is normally
        <code class="filename">/tmp</code>, but can be changed at build time.
        This parameter can only be set at server start.
       </p></dd>
<dt>
<a name="guc-unix-socket-group"></a><span class="term"><code class="varname">unix_socket_group</code> (<code class="type">string</code>)</span>
</dt>
<dd><p>        Sets the owning group of the Unix-domain socket.  (The owning
        user of the socket is always the user that starts the
        server.)  In combination with the option
        <code class="varname">unix_socket_permissions</code> this can be used as
        an additional access control mechanism for Unix-domain connections.
        By default this is the empty string, which uses the default
        group for the current user.  This option can only be set at
        server start.
       </p></dd>
<dt>
<a name="guc-unix-socket-permissions"></a><span class="term"><code class="varname">unix_socket_permissions</code> (<code class="type">integer</code>)</span>
</dt>
<dd>
<p>        Sets the access permissions of the Unix-domain socket.  Unix-domain
        sockets use the usual Unix file system permission set.
        The option value is expected to be a numeric mode
        specification in the form accepted by the
        <code class="function">chmod</code> and <code class="function">umask</code>
        system calls.  (To use the customary octal format the number
        must start with a <code class="literal">0</code> (zero).)
       </p>
<p>        The default permissions are <code class="literal">0777</code>, meaning
        anyone can connect. Reasonable alternatives are
        <code class="literal">0770</code> (only user and group, see also
        <code class="varname">unix_socket_group</code>) and <code class="literal">0700</code>
        (only user). (Note that for a Unix-domain socket, only write
        permission matters and so there is no point in setting or revoking
        read or execute permissions.)
       </p>
<p>        This access control mechanism is independent of the one
        described in <a href="client-authentication.html" title="Chapter20.Client Authentication">Chapter20, <i>Client Authentication</i></a>.
       </p>
<p>        This option can only be set at server start.
       </p>
</dd>
<dt>
<a name="guc-bonjour-name"></a><span class="term"><code class="varname">bonjour_name</code> (<code class="type">string</code>)</span>
</dt>
<dd><p>        Specifies the <span class="productname">Bonjour</span> broadcast
        name.  By default, the computer name is used, specified as an
        empty string ''.  This option is ignored if the server was not
        compiled with <span class="productname">Bonjour</span> support.  This
        option can only be set at server start.
       </p></dd>
<dt>
<a name="guc-tcp-keepalives-idle"></a><span class="term"><code class="varname">tcp_keepalives_idle</code> (<code class="type">integer</code>)</span>
</dt>
<dd><p>        On systems that support the <code class="symbol">TCP_KEEPIDLE</code> socket option, specifies the
        number of seconds between sending keepalives on an otherwise idle
        connection. A value of 0 uses the system default. If <code class="symbol">TCP_KEEPIDLE</code> is
        not supported, this parameter must be 0. This option is ignored for
        connections made via a Unix-domain socket.
       </p></dd>
<dt>
<a name="guc-tcp-keepalives-interval"></a><span class="term"><code class="varname">tcp_keepalives_interval</code> (<code class="type">integer</code>)</span>
</dt>
<dd><p>        On systems that support the <code class="symbol">TCP_KEEPINTVL</code> socket option, specifies how
        long, in seconds, to wait for a response to a keepalive before
        retransmitting. A value of 0 uses the system default. If <code class="symbol">TCP_KEEPINTVL</code>
        is not supported, this parameter must be 0. This option is ignored
        for connections made via a Unix-domain socket.
       </p></dd>
<dt>
<a name="guc-tcp-keepalives-count"></a><span class="term"><code class="varname">tcp_keepalives_count</code> (<code class="type">integer</code>)</span>
</dt>
<dd><p>        On systems that support the <code class="symbol">TCP_KEEPCNT</code> socket option, specifies how
        many keepalives may be lost before the connection is considered dead. 
        A value of 0 uses the system default. If <code class="symbol">TCP_KEEPCNT</code> is not
        supported, this parameter must be 0. This option is ignored
        for connections made via a Unix-domain socket.
       </p></dd>
</dl></div>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="runtime-config-connection-security"></a>17.3.2.Security and Authentication</h3></div></div></div>
<div class="variablelist"><dl>
<dt>
<a name="guc-authentication-timeout"></a><span class="term"><code class="varname">authentication_timeout</code> (<code class="type">integer</code>)</span>
</dt>
<dd><p>        Maximum time to complete client authentication, in seconds. If a
        would-be client has not completed the authentication protocol in
        this much time, the server breaks the connection. This prevents
        hung clients from occupying a connection indefinitely. This
        option can be set at server start or in the
        <code class="filename">postgresql.conf</code> file. The default is 60.
       </p></dd>
<dt>
<a name="guc-ssl"></a><span class="term"><code class="varname">ssl</code> (<code class="type">boolean</code>)</span>
</dt>
<dd><p>        Enables <acronym class="acronym">SSL</acronym> connections. Please read
        <a href="ssl-tcp.html" title="16.7.Secure TCP/IP Connections with SSL">Section16.7, &#8220;Secure TCP/IP Connections with SSL&#8221;</a> before using this. The default
        is <code class="literal">off</code>. This parameter can only be set at server
        start.
       </p></dd>
<dt>
<a name="guc-password-encryption"></a><span class="term"><code class="varname">password_encryption</code> (<code class="type">boolean</code>)</span>
</dt>
<dd><p>        When a password is specified in <a href="sql-createuser.html">CREATE USER</a> or
        <a href="sql-alteruser.html">ALTER USER</a>
        without writing either <code class="literal">ENCRYPTED</code> or
        <code class="literal">UNENCRYPTED</code>, this option determines whether the
        password is to be encrypted. The default is <code class="literal">on</code>
        (encrypt the password).
       </p></dd>
<dt>
<a name="guc-krb-server-keyfile"></a><span class="term"><code class="varname">krb_server_keyfile</code> (<code class="type">string</code>)</span>
</dt>
<dd><p>        Sets the location of the Kerberos server key file. See
        <a href="auth-methods.html#kerberos-auth" title="20.2.3.Kerberos authentication">Section20.2.3, &#8220;Kerberos authentication&#8221;</a> for details. This parameter
        can only be set at server start.
       </p></dd>
<dt>
<a name="guc-krb-srvname"></a><span class="term"><code class="varname">krb_srvname</code> (<code class="type">string</code>)</span>
</dt>
<dd><p>        Sets the Kerberos service name. See <a href="auth-methods.html#kerberos-auth" title="20.2.3.Kerberos authentication">Section20.2.3, &#8220;Kerberos authentication&#8221;</a>
        for details.  This parameter can only be set at server start.
       </p></dd>
<dt>
<a name="guc-krb-server-hostname"></a><span class="term"><code class="varname">krb_server_hostname</code> (<code class="type">string</code>)</span>
</dt>
<dd>
<p>        Sets the host name part of the service principal.
        This, combined with <code class="varname">krb_srvname</code>, is used to generate
        the complete service principal, that is
        <code class="varname">krb_srvname</code><code class="literal">/</code><code class="varname">krb_server_hostname</code><code class="literal">@</code>REALM.
       </p>
<p>        If not set, the default is the server host name.  See <a href="auth-methods.html#kerberos-auth" title="20.2.3.Kerberos authentication">Section20.2.3, &#8220;Kerberos authentication&#8221;</a>
        for details.  This parameter can only be set at server start.
       </p>
</dd>
<dt>
<a name="guc-krb-caseins-users"></a><span class="term"><code class="varname">krb_caseins_users</code> (<code class="type">boolean</code>)</span>
</dt>
<dd><p>        Sets whether Kerberos user names should be treated case-insensitively.
        The default is <code class="literal">off</code> (case sensitive). This parameter
        can only be set at server start.
       </p></dd>
<dt>
<a name="guc-db-user-namespace"></a><span class="term"><code class="varname">db_user_namespace</code> (<code class="type">boolean</code>)</span>
</dt>
<dd>
<p>        This enables per-database user names.  It is off by default.
       </p>
<p>        If this is on, you should create users as <code class="literal">username@dbname</code>.
        When <code class="literal">username</code> is passed by a connecting client,
        <code class="literal">@</code> and the database name are appended to the user
        name and that database-specific user name is looked up by the
        server. Note that when you create users with names containing
        <code class="literal">@</code> within the SQL environment, you will need to
        quote the user name.
       </p>
<p>        With this option enabled, you can still create ordinary global
        users.  Simply append <code class="literal">@</code> when specifying the user
        name in the client.  The <code class="literal">@</code> will be stripped off
        before the user name is looked up by the server.
       </p>
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Note</h3>
<p>         This feature is intended as a temporary measure until a
         complete solution is found.  At that time, this option will
         be removed.
        </p>
</div>
</dd>
</dl></div>
</div>
</div></body>
</html>