Skip to content

Commit f4f69ad

Browse files
nathanjrobertsontvdijen
nathanjrobertson
authored and
tvdijen
committed
Add documentation for UNIX socket connections
1 parent 74faf9f commit f4f69ad

File tree

1 file changed

+31
-0
lines changed

1 file changed

+31
-0
lines changed

docs/sql.md

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -180,6 +180,37 @@ Example query - SHA512 of salt + password, stored as salt (32 bytes) + sha256(sa
180180
)
181181
```
182182

183+
Connecting with UNIX Domain Sockets (Local Sockets)
184+
---------------------------------------------------
185+
186+
When on a UNIX-like platform (Linux, *BSD, etc), and when your SQL database server is running on the same host as the web server
187+
hosting SimpleSAMLphp, it is possible to use UNIX domain sockets instead of TCP sockets for the database connection. This
188+
configuration should result in marginally better performance and security (when configured correctly).
189+
190+
Here is an example using PostgreSQL:
191+
192+
```php
193+
'example-unix-socket-sql' => [
194+
'sqlauth:SQL',
195+
'dsn' => 'pgsql:host=/var/run/postgresql;dbname=simplesaml',
196+
'username' => 'www-data',
197+
'password' => 'this-is-ignored',
198+
'query' => 'SELECT uid, givenName, email, eduPersonPrincipalName FROM users WHERE uid = :username ' .
199+
'AND password = SHA2(CONCAT((SELECT salt FROM users WHERE uid = :username), :password), 256);',
200+
],
201+
```
202+
203+
Configuration is largely the same as TCP sockets (documented above), with the differences being:
204+
205+
`dsn`
206+
: The key difference is that the `host` parameter. This needs to be the **directory** that contains the socket file used to connect to the PostgreSQL server. For example, actual socket file might be `/var/run/postgresql/.s.PGSQL.5432`, so `host=/var/run/postgresql` is the parameter that you need. If you're struggling to find where the socket is, the `unix_socket_directories` parameter in the server `postgresql.conf` is where that location is configured.
207+
208+
`username`
209+
: The UNIX username of the user running SimpleSAMLphp (ie. the web server user or the php-fpm user, depending on your setup).
210+
211+
`password`
212+
: Required, but the value you specify is ignored (so you can put any placeholder string value in there). All authentication for UNIX domain sockets are done by the operating system kernel.
213+
183214
Security considerations
184215
-----------------------
185216

0 commit comments

Comments
 (0)