RE: 9.6.9 Default configuration for a default installation but different with-krb-srvnam

Dear Stephen,

You're absolutely right, the mapping work very well.

I've created 2 "service user" on Active Directory (postgres and postgres_dev), and generated the keytab like this:

ktpass -out postgres_pg1.keytab -princ postgres/PGDOMT1(dot)ad(dot)com(at)AD(dot)COM -mapUser AD\postgres -pass 'UserPass1' -mapOp add -crypto ALL -ptype KRB5_NT_PRINCIPAL

ktpass -out postgres_pg2.keytab -princ postgres/PGDOMT2(dot)ad(dot)com(at)AD(dot)COM -mapUser AD\postgres_dev -pass 'UserPass2' -mapOp add -crypto ALL -ptype KRB5_NT_PRINCIPAL

Thank you very much for your help.

________________________________
De : Stephen Frost <sfrost(at)snowman(dot)net>
Envoyé : 29 avril 2019 13:35
À : Jean-Philippe Chenel
Cc : pgsql-general(at)lists(dot)postgresql(dot)org
Objet : Re: 9.6.9 Default configuration for a default installation but different with-krb-srvnam

Greetings,

* Jean-Philippe Chenel (jp(dot)chenel(at)LIVE(dot)CA) wrote:
> If I understand, the mapping can be done in the pg_ident.conf file ?

No, you do the mapping in AD.

Look at the '/princ' and '/mapuser' options used in the ktpass command
here:

https://info.crunchydata.com/blog/windows-active-directory-postgresql-gssapi-kerberos-authentication
How to setup Windows Active Directory with PostgreSQL GSSAPI Kerberos Authentication - info.crunchydata.com<https://info.crunchydata.com/blog/windows-active-directory-postgresql-gssapi-kerberos-authentication>
info.crunchydata.com
PostgreSQL provides a many authentications methods to allow you to pick the one that makes the most sense for your environment. This guide will show you how to use your Windows Active Directory to authenticate to PostgreSQL via GSSAPI Kerberos authentication.

Thanks,

Stephen