R: Linux Postgres authentication against active directory

From: "Ronzani Dario" <dario(dot)ronzani(at)oword(dot)it>
To: <pgsql-general(at)postgresql(dot)org>
Subject: R: Linux Postgres authentication against active directory
Date: 2005-08-18 12:15:36
Message-ID: !~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAALd57argJ9UGDQfooa9N8nMKAAAAQAAAAnHfK6NX6xUGwQkFC/Y0OzQEAAAAA@oword.it
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

Finaly I follow your suggestion, I use ldap and seems to work (for now).
Thanks for your help
dario

> -----Messaggio originale-----
> Da: pgsql-general-owner(at)postgresql(dot)org
> [mailto:pgsql-general-owner(at)postgresql(dot)org] Per conto di
> Magnus Hagander
> Inviato: lunedì 15 agosto 2005 21.01
> A: Ronzani Dario; pgsql-general(at)postgresql(dot)org
> Oggetto: Re: [GENERAL] Linux Postgres authentication against
> active directory
>
>
> > > > Actually I try to authenticate my Linux Postgres installation
> > > > against Active Directory, I find 3 solution to use:
> > > >
> > > > 1) LDAP
> > > > 2) Pam and Kerberos
> > > > 3) Kerberos alone
> > >
> > > (3) is the one I've been using, and it works very well. I've been
> > > working on a HOWTO, but it' snot done yet.
> > >
> > > Note that if your clients are on win32, you need at least version
> > > 8.0.2.
> >
> > Great to know that someone are able to use this solution, I
> > don't have any client my application is a web (php, java)
> > application with a request for AD (or ldap depend on the
> > customer) users authentication.
>
> The easiest way around that is to authenticate the user to
> the webserver, and then use a single account to connect to
> the database (or a couple, depending on group membership, or
> whatever suits your app).
>
>
> > > Naturally you will have to recreate the service account in
> > AD with the
> > > proper SPN.
> >
> > My fear is that I have misunderstood how kerberes work, I
> > understand that I must to kerberize the postgres application
> > to give it the access to AD, then I need to put a principal
> > to any user that need to authenticate?
>
> No, you do not need to kerberize postgres to access AD. If
> you want to "check ad passwords", it's porbably best to use LDAP.
>
> Kerberos is used to achieve *single sign on*. Meaning your
> app never sees the password. If this is not what you need,
> it's overly complex.
>
> Any user who needs to authenticate needs a principal, yes.
> That's their normal Windows account. On top of that, every
> *service* the user should authenticate *to* also needs a
> principal - for mutual authentication.
>
> If your client connects to your wbserver only, your webserver
> needs this principal. If the clients connects to the database
> server, the database server needs it. There is apparantly
> some way if you use mod_perl to forward kerberos credentials
> from the webserver to the database server, but I don't know
> any details about that.
>
> But again, if you intend to provide a userid/password box to
> the user and then authenticate those credentials, it's going
> to be a lot easier to use for example LDAP.
>
> You can, of course, use kerberos between your webserver and
> the database server, but that's most likely an overkill as
> you'll only be able to access it as a single user anyway (I think).
>
>
> > This is my principal on the linux box, as you say (I think) I
> > create this principal in uppercase:
> >
> > ktutil: rkt /usr/etc/postgresql/krb5.keytab
> > ktutil: list
> > slot KVNO Principal
> > ---- ----
> >
> ---------------------------------------------------------------------
> > 1 3 POSTGRES/onet003(at)OWORD(dot)LOCAL
> > 2 3 RONZANID/onet003(at)OWORD(dot)LOCAL
>
> The postgres keytab only needs the POSTGRES principal. The
> other is your user (I assume), and it sohuld not be stored
> *anywhere* - only transitent whlie you are logged in.
>
>
> > May be my problem was related with this compilation line?
> >
> > checking for library containing com_err... -lkrb5
> > checking for library containing krb5_encrypt... none required
> > checking for library containing krb5_sendauth... none required
> > checking krb5.h usability... yes
> > checking krb5.h presence... yes
> > checking for krb5.h... yes
> > checking for krb5_ticket.enc_part2... yes
> > checking for krb5_error.text.data... yes
> >
> > Particularly I refer to krb5_encrypt and krb5_sendauth.
>
> No, that looks correct. It jus tmeans that they were found in
> the krb5 library, and no *additional* libraries are needed.
> If you were missing the rquired libs, you'd get an error and
> not just a notice.
>
>
> > With more debug I received this error when I try to authenticate.
> >
> > postgres: Bad application version was sent (via
> > sendauth) from krb5_recvauth
>
> That probably indicates that your server has a different
> principal name than the client (libpq library).
>
>
> //Magnus
>
> ---------------------------(end of
> broadcast)---------------------------
> TIP 3: Have you checked our extensive FAQ?
>
> http://www.postgresql.org/docs/faq
>

In response to

Browse pgsql-general by date

  From Date Subject
Next Message Michael Fuhr 2005-08-18 12:26:41 Re: Weird performance hit
Previous Message Aliomar Mariano Rego 2005-08-18 10:12:55 Re: Set autocommit to off