Re: Use AD-account as login into Postgres.

Am 09.02.24 um 20:31 schrieb Pär Mattsson:
> Yes this is a complete windows installation of Postgres and they will
> use ad-login account into the database
>
> Mvh Pär
> ------------------------------------------------------------------------
> *Från:* Holger Jakobs <holger(at)jakobs(dot)com>
> *Skickat:* fredag, februari 9, 2024 20:05
> *Till:* pgsql-admin(at)lists(dot)postgresql(dot)org
> <pgsql-admin(at)lists(dot)postgresql(dot)org>
> *Ämne:* Re: Use AD-account as login into Postgres.
> Am 09.02.24 um 19:31 schrieb Pär Mattsson:
>> Hi!
>> Is it only to config in hba.conf the connection info,  to use
>> AD-accounts to login in postgres.
>> This is a windows/postres intallation 🤦‍♂️✌️
>>
>> Mvh Pär
>> +46706069645
>
> Hi,
>
> Short answer: No!
>
> SSPI using AD accounts for authentication works only in a complete
> Windows environment. The client and the server machine have to be
> member of the same AD environment, which isn't possible for
> non-Windows machines. Otherwise, there is no trust between the machines.
>
> An automatic creation of PostgreSQL roles from AD accounts has to be
> done outside PostgreSQL, i. e. by a script running regularly.
>
> A couple of years ago, I wrote such a script for a customer.
>
> Regards,
>
> Holger
>
If that's the case, create all the necessary roles (groups, users) in
PostgreSQL matching entries in pg_hba.conf and mapping entries in
pg_ident, so that Windows users can connect to the database without
needing to authenticate again.

It's a nice way of providing single sign-on.

Regards,

Holger

> --
> Holger Jakobs, Bergisch Gladbach, Tel. +49-178-9759012

--
Holger Jakobs, Bergisch Gladbach, Tel. +49-178-9759012