R: Linux Postgres authentication against active directory - Mailing list pgsql-general
| From | Ronzani Dario |
|---|---|
| Subject | R: Linux Postgres authentication against active directory |
| Date | |
| Msg-id | !~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAALd57argJ9UGDQfooa9N8nMKAAAAQAAAALWvt2XHkokSrxmtOAkJckgEAAAAA@oword.it Whole thread Raw |
| In response to | Re: Linux Postgres authentication against active directory ("Magnus Hagander" <mha@sollentuna.net>) |
| List | pgsql-general |
Hi, thanks for the answer.
Below my comment
> -----Messaggio originale-----
> Da: Magnus Hagander [mailto:mha@sollentuna.net]
> Inviato: venerdì 12 agosto 2005 12.56
> A: Ronzani Dario; pgsql-general@postgresql.org
> Oggetto: RE: [GENERAL] Linux Postgres authentication against
> active directory
>
>
> > Hi to all,
> >
> > Actually I try to authenticate my Linux Postgres installation
> > against Active Directory, I find 3 solution to use:
> >
> > 1) LDAP
> > 2) Pam and Kerberos
> > 3) Kerberos alone
>
> (3) is the one I've been using, and it works very well. I've
> been working on a HOWTO, but it' snot done yet.
>
> Note that if your clients are on win32, you need at least
> version 8.0.2.
Great to know that someone are able to use this solution, I don't have any
client my application is a web (php, java) application with a request for AD
(or ldap depend on the customer) users authentication.
>
>
> > For the 2 kerberos solution I don't find to much
> > documentation, I try to compile postgres with kerberos using
> > this configure flag:
> >
> > --with-krb5=/usr/
> > --with-includes=/usr/include/
> > --with-libraries=/usr/lib/
> >
> > My kerberos installation is in
> > /usr/bin and /usr/sbin for the binary
> > /usr/lib/ libkrb5.* e
> > libk5crypto.so
> > and libkadm5
> > /usr/include/ krb5.h heaser file
> >
> > But seems that I miss something because when I put the krb5
> > word in the pg_hba.conf and I try to connect the system give
> > me the error:
>
> For AD to do proper interop, the SPN has to be in uppercase.
> For this you need to recompile postgresql using
> --with-krbsrvnam=POSTGRES on both client and server. (You
> will be able to change this at runtime in 8.1)
>
> Naturally you will have to recreate the service account in AD
> with the proper SPN.
My fear is that I have misunderstood how kerberes work, I understand that I
must to kerberize the postgres application to give it the access to AD, then
I need to put a principal to any user that need to authenticate?
This is my principal on the linux box, as you say (I think) I create this
principal in uppercase:
ktutil: rkt /usr/etc/postgresql/krb5.keytab
ktutil: list
slot KVNO Principal
---- ----
---------------------------------------------------------------------
1 3 POSTGRES/onet003@OWORD.LOCAL
2 3 RONZANID/onet003@OWORD.LOCAL
May be my problem was related with this compilation line?
checking for library containing com_err... -lkrb5
checking for library containing krb5_encrypt... none required
checking for library containing krb5_sendauth... none required
checking krb5.h usability... yes
checking krb5.h presence... yes
checking for krb5.h... yes
checking for krb5_ticket.enc_part2... yes
checking for krb5_error.text.data... yes
Particularly I refer to krb5_encrypt and krb5_sendauth.
With more debug I received this error when I try to authenticate.
postgres: Bad application version was sent (via sendauth) from
krb5_recvauth
Thanks Dario
>
>
> //Magnus
>
pgsql-general by date: