From: | Jean-Philippe Chenel <jp(dot)chenel(at)LIVE(dot)CA> |
---|---|
To: | Stephen Frost <sfrost(at)snowman(dot)net> |
Cc: | "pgsql-general(at)lists(dot)postgresql(dot)org" <pgsql-general(at)lists(dot)postgresql(dot)org> |
Subject: | RE: 9.6.9 Default configuration for a default installation but different with-krb-srvnam |
Date: | 2019-04-30 02:19:35 |
Message-ID: | BYAPR03MB44855E91F30C9CE819D3A54EFD3A0@BYAPR03MB4485.namprd03.prod.outlook.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
Dear Stephen,
You're absolutely right, the mapping work very well.
I've created 2 "service user" on Active Directory (postgres and postgres_dev), and generated the keytab like this:
ktpass -out postgres_pg1.keytab -princ postgres/PGDOMT1(dot)ad(dot)com(at)AD(dot)COM -mapUser AD\postgres -pass 'UserPass1' -mapOp add -crypto ALL -ptype KRB5_NT_PRINCIPAL
ktpass -out postgres_pg2.keytab -princ postgres/PGDOMT2(dot)ad(dot)com(at)AD(dot)COM -mapUser AD\postgres_dev -pass 'UserPass2' -mapOp add -crypto ALL -ptype KRB5_NT_PRINCIPAL
Thank you very much for your help.
________________________________
De : Stephen Frost <sfrost(at)snowman(dot)net>
Envoyé : 29 avril 2019 13:35
À : Jean-Philippe Chenel
Cc : pgsql-general(at)lists(dot)postgresql(dot)org
Objet : Re: 9.6.9 Default configuration for a default installation but different with-krb-srvnam
Greetings,
* Jean-Philippe Chenel (jp(dot)chenel(at)LIVE(dot)CA) wrote:
> If I understand, the mapping can be done in the pg_ident.conf file ?
No, you do the mapping in AD.
Look at the '/princ' and '/mapuser' options used in the ktpass command
here:
https://info.crunchydata.com/blog/windows-active-directory-postgresql-gssapi-kerberos-authentication
How to setup Windows Active Directory with PostgreSQL GSSAPI Kerberos Authentication - info.crunchydata.com<https://info.crunchydata.com/blog/windows-active-directory-postgresql-gssapi-kerberos-authentication>
info.crunchydata.com
PostgreSQL provides a many authentications methods to allow you to pick the one that makes the most sense for your environment. This guide will show you how to use your Windows Active Directory to authenticate to PostgreSQL via GSSAPI Kerberos authentication.
Thanks,
Stephen
From | Date | Subject | |
---|---|---|---|
Next Message | Stephen Frost | 2019-04-30 02:21:54 | Re: 9.6.9 Default configuration for a default installation but different with-krb-srvnam |
Previous Message | Adrian Klaver | 2019-04-29 19:16:13 | Re: How to execute .sql file inside a postgres schema |