Re: GSSAPI authentication on Redhat8 and PostgreSQL15/16

Hi Stephen,

Good morning, and thanks for the clarification.
Apologies for top-posting on these lists; however, I was not able to find
the subscription for pgsql-admin(at)postgresql(dot)org in the subscription list.
As a result, I replied to the above email. I will start a new email thread
if I have any questions or doubts.

Regards,
Yee Yee

On Mon, Nov 20, 2023 at 7:53 PM Stephen Frost <sfrost(at)snowman(dot)net> wrote:

> Greetings,
>
> Please don’t top-post on these lists.
>
> On Mon, Nov 20, 2023 at 01:40 Yee Yee ( 舒兰） <sweety(dot)soul7(at)gmail(dot)com>
> wrote:
>
>> For item 5, I would like to confirm whether I need to apply both TLS/SSL
>> and GSSAPI authentication or if applying GSSAPI authentication alone is
>> sufficient.
>>
>
> This depends on what you’re doing, exactly, and what your goals are. If
> you want encryption from a Windows client to a PG server then you’d
> probably want to use TLS/SSL to provide that encryption and then use GSSAPI
> for authentication. You wouldn’t be using TLS/SSL for the client’s
> authentication, just for encryption.
>
> According to your post, do I only need to create one user 'pg1postgres'
>> and generate one keytab file with this user. After that, should I map all
>> the Windows users ( we have 200+ users) with 'pg1postgres' inside
>> pg_ident.conf?
>>
>
> You just need to have the one user in AD and the one keytab which you then
> transfer to the PG server. That user in AD is essentially “the postgres
> server” it’s not a regular user account.
>
> Once it’s all set up, you need to create your regular user accounts in PG
> for those users who are allowed to log into the PG server. There are some
> tools out there to help with syncing user accounts and groups between PG
> and AD, eg: pg_ldap_sync:
>
> https://github.com/larskanis/pg-ldap-sync
>
> Thanks,
>
> Stephen
>