Re: psycopg2 and java gssapi questions

Magnus, Mike,

* Magnus Hagander (magnus(at)hagander(dot)net) wrote:
> On Wed, Dec 20, 2017 at 8:42 PM, Mike Feld <m1f7(at)aol(dot)com> wrote:
>
> > Is it possible to authenticate with Postgres from a standalone application
> > using gssapi? In other words, I am able to authenticate with Postgres when
> > a human has logged in to either Windows or Linux and generated a ticket,
> > but is it possible for say a Django site or Java application running on
> > some server somewhere to authenticate with Postgres using gssapi? I realize
> > that psycopg2 has a connection parameter for “krbsrvname”, but how does it
> > generate a ticket? Is this the only alternative to secure authentication
> > since Postgres does not support secure ldap (ldaps)?
>
> Sure it is.

Yup.

> libpq won't generate the initial ticket, though. The way to do it is to
> have your django or whatever application run "kinit" for the user before it
> starts. This will request a TGT, and the ticket will be present in that
> users environment, and will be used by the libpq client. (it might look
> slightly different for a Java client, but the principle is the same)

You would actually want to use a keytab and then kstart/k5start to make
sure that you've always got a valid ticket. Just doing a kinit would
mean that the TGT will eventually expire and cause connections to fail.

Thanks!

Stephen