From: | Pär Mattsson <par(dot)x(dot)mattsson(at)gmail(dot)com> |
---|---|
To: | Holger Jakobs <holger(at)jakobs(dot)com>, "pgsql-admin(at)lists(dot)postgresql(dot)org" <pgsql-admin(at)lists(dot)postgresql(dot)org> |
Subject: | Re: Use AD-account as login into Postgres. |
Date: | 2024-02-09 19:59:36 |
Message-ID: | GV1P189MB213200B8E4E17FD637C8B549A24B2@GV1P189MB2132.EURP189.PROD.OUTLOOK.COM |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-admin |
Thanks alot Holger Jacobs 🥇
Mvh Pär
________________________________
Från: Holger Jakobs <holger(at)jakobs(dot)com>
Skickat: fredag, februari 9, 2024 20:34
Till: pgsql-admin(at)lists(dot)postgresql(dot)org <pgsql-admin(at)lists(dot)postgresql(dot)org>
Ämne: Re: Use AD-account as login into Postgres.
Am 09.02.24 um 20:31 schrieb Pär Mattsson:
Yes this is a complete windows installation of Postgres and they will use ad-login account into the database
Mvh Pär
________________________________
Från: Holger Jakobs <holger(at)jakobs(dot)com><mailto:holger(at)jakobs(dot)com>
Skickat: fredag, februari 9, 2024 20:05
Till: pgsql-admin(at)lists(dot)postgresql(dot)org<mailto:pgsql-admin(at)lists(dot)postgresql(dot)org> <pgsql-admin(at)lists(dot)postgresql(dot)org><mailto:pgsql-admin(at)lists(dot)postgresql(dot)org>
Ämne: Re: Use AD-account as login into Postgres.
Am 09.02.24 um 19:31 schrieb Pär Mattsson:
Hi!
Is it only to config in hba.conf the connection info, to use AD-accounts to login in postgres.
This is a windows/postres intallation 🤦♂️✌️
Mvh Pär
+46706069645
Hi,
Short answer: No!
SSPI using AD accounts for authentication works only in a complete Windows environment. The client and the server machine have to be member of the same AD environment, which isn't possible for non-Windows machines. Otherwise, there is no trust between the machines.
An automatic creation of PostgreSQL roles from AD accounts has to be done outside PostgreSQL, i. e. by a script running regularly.
A couple of years ago, I wrote such a script for a customer.
Regards,
Holger
If that's the case, create all the necessary roles (groups, users) in PostgreSQL matching entries in pg_hba.conf and mapping entries in pg_ident, so that Windows users can connect to the database without needing to authenticate again.
It's a nice way of providing single sign-on.
Regards,
Holger
--
Holger Jakobs, Bergisch Gladbach, Tel. +49-178-9759012
--
Holger Jakobs, Bergisch Gladbach, Tel. +49-178-9759012
From | Date | Subject | |
---|---|---|---|
Next Message | Wells Oliver | 2024-02-10 23:35:53 | Temp table + inde + FDW table on Redshift: MOVE BACKWARD ALL IN not supported |
Previous Message | Ed Sabol | 2024-02-09 19:49:07 | Re: upgrade questions |