Re: psycopg2 and java gssapi questions

What about when the ticket expires? Are there any libraries that manage this for the application? Is this common practice by anyone?

Mike

-----Original Message-----
From: Dave Cramer <pg(at)fastcrypt(dot)com>
To: Magnus Hagander <magnus(at)hagander(dot)net>
Cc: Mike Feld <m1f7(at)aol(dot)com>; pgsql-general <pgsql-general(at)lists(dot)postgresql(dot)org>
Sent: Thu, Dec 21, 2017 6:09 am
Subject: Re: psycopg2 and java gssapi questions

On 21 December 2017 at 05:27, Magnus Hagander <magnus(at)hagander(dot)net> wrote:

On Wed, Dec 20, 2017 at 8:42 PM, Mike Feld <m1f7(at)aol(dot)com> wrote:

Is it possible to authenticate with Postgres from astandalone application using gssapi? In other words, I am able to authenticatewith Postgres when a human has logged in to either Windows or Linux andgenerated a ticket, but is it possible for say a Django site or Javaapplication running on some server somewhere to authenticate with Postgresusing gssapi? I realize that psycopg2 has a connection parameter for “krbsrvname”,but how does it generate a ticket? Is this the only alternative to secure authentication since Postgres does not support secure ldap (ldaps)?

Sure it is.

libpq won't generate the initial ticket, though. The way to do it is to have your django or whatever application run "kinit" for the user before it starts. This will request a TGT, and the ticket will be present in that users environment, and will be used by the libpq client. (it might look slightly different for a Java client, but the principle is the same)

JDBC docs on GSSAPI can be found https://jdbc.postgresql.org/documentation/head/connect.html

Dave Cramer

davec(at)postgresintl(dot)com
www.postgresintl.com