From: | Stephen Frost <sfrost(at)snowman(dot)net> |
---|---|
To: | Magnus Hagander <magnus(at)hagander(dot)net> |
Cc: | Mike Feld <m1f7(at)aol(dot)com>, pgsql-general(at)lists(dot)postgresql(dot)org |
Subject: | Re: psycopg2 and java gssapi questions |
Date: | 2017-12-21 11:19:13 |
Message-ID: | 20171221111913.GY4628@tamriel.snowman.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
Magnus, Mike,
* Magnus Hagander (magnus(at)hagander(dot)net) wrote:
> On Wed, Dec 20, 2017 at 8:42 PM, Mike Feld <m1f7(at)aol(dot)com> wrote:
>
> > Is it possible to authenticate with Postgres from a standalone application
> > using gssapi? In other words, I am able to authenticate with Postgres when
> > a human has logged in to either Windows or Linux and generated a ticket,
> > but is it possible for say a Django site or Java application running on
> > some server somewhere to authenticate with Postgres using gssapi? I realize
> > that psycopg2 has a connection parameter for “krbsrvname”, but how does it
> > generate a ticket? Is this the only alternative to secure authentication
> > since Postgres does not support secure ldap (ldaps)?
>
> Sure it is.
Yup.
> libpq won't generate the initial ticket, though. The way to do it is to
> have your django or whatever application run "kinit" for the user before it
> starts. This will request a TGT, and the ticket will be present in that
> users environment, and will be used by the libpq client. (it might look
> slightly different for a Java client, but the principle is the same)
You would actually want to use a keytab and then kstart/k5start to make
sure that you've always got a valid ticket. Just doing a kinit would
mean that the TGT will eventually expire and cause connections to fail.
Thanks!
Stephen
From | Date | Subject | |
---|---|---|---|
Next Message | Rakesh Kumar | 2017-12-21 11:41:39 | Re: Deadlock with one table - PostgreSQL is doing it right |
Previous Message | Dave Cramer | 2017-12-21 11:08:37 | Re: psycopg2 and java gssapi questions |