Re: [GENERAL] pg_ident mapping Kerberos Usernames - Mailing list pgsql-general
From | techmail+pgsql@dangertoaster.com |
---|---|
Subject | Re: [GENERAL] pg_ident mapping Kerberos Usernames |
Date | |
Msg-id | 1110444b-dcb5-e09b-98a9-4dc59ecab29a@dangertoaster.com Whole thread Raw |
In response to | Re: [GENERAL] pg_ident mapping Kerberos Usernames (Jeff Janes <jeff.janes@gmail.com>) |
Responses |
Re: [GENERAL] pg_ident mapping Kerberos Usernames
|
List | pgsql-general |
On 09/10/2017 04:27 PM, Jeff Janes wrote: > On Sun, Sep 10, 2017 at 11:25 AM, <techmail+pgsql@dangertoaster.com > <mailto:techmail+pgsql@dangertoaster.com>> wrote: > > On 09/10/2017 02:39 AM, Magnus Hagander wrote: > > On Sat, Sep 9, 2017 at 6:44 PM, <techmail+pgsql@dangertoaster.com > <mailto:techmail%2Bpgsql@dangertoaster.com> <mailto:techmail+pgsql@dangertoaster.com > <mailto:techmail%2Bpgsql@dangertoaster.com>>> wrote: > > Hi, > > I'm trying to get pg_ident to map "user1" and "user1@A.DOMAIN.TLD" to "user1" in > postgres, or > vice versa. I'm not picky about which way works. > > Kerberos authentication works. I've gotten "user1" to login successfully with a > Kerberos ticket, > but I'm not able to get "user1@A.DOMAIN.TLD" to match. > > Environment: > * PostgreSQL 9.6 from PostgreSQL repos > * CentOS 7 > * FreeIPA for Kerberos, LDAP, etc. > * Realm A.DOMAIN.TLD > * "user1" database exists > * "user1" role exists > * Logging into CentOS usernames are configured to drop the domain, so they appear as > "user1" > rather then "user1@a.domain.tld". > > > pg_hba.conf: > > local all postgres peer > host all all 127.0.0.1/32 <http://127.0.0.1/32> <http://127.0.0.1/32> > md5 > host all all ::1/128 md5 > host all all 192.168.1.0/24 <http://192.168.1.0/24> > <http://192.168.1.0/24> gss include_realm=1 > map=testnet krb_realm=A.DOMAIN.TLD #This is on one line. Thunderbird is truncating lines. > > > pg_ident.conf: > > testnet /^([0-9A-Za-z_-]+)@A\.DOMAIN\.TLD$ \1 > testnet /^([0-9A-Za-z_-]+)$ \1 > > > Regex that works for both in regexr.com <http://regexr.com> <http://regexr.com>: > > /^([0-9A-Za-z-_]+)(@A\.DOMAIN\.TLD)?$/gm > > > Command and lines from pg_log: > > $ psql -h db0 # Logged in as user1 with Kerberos ticket > > < 2017-09-09 19:50:49.376 CDT - 192.168.1.201 [unknown] > LOG: connection received: > host=192.168.1.201 port=44918 > < 2017-09-09 19:50:49.398 CDT - 192.168.1.201 user1 > LOG: connection authorized: > user=user1 > database=user1 > < 2017-09-09 19:50:50.912 CDT - 192.168.1.201 user1 > LOG: disconnection: session time: > 0:00:01.537 user=user1 database=user1 host=192.168.1.201 port=44918 > > $ psql -h db0 -U user1@A.DOMAIN.TLD # Logged in as user1 with Kerberos ticket > > < 2017-09-09 19:50:54.959 CDT - 192.168.1.201 [unknown] > LOG: connection received: > host=192.168.1.201 port=44920 > < 2017-09-09 19:50:55.023 CDT - 192.168.1.201 user1@A.DOMAIN.TLD > LOG: no match in usermap > "testnet" for user "user1@A.DOMAIN.TLD" authenticated as "user1@A.DOMAIN.TLD" > < 2017-09-09 19:50:55.023 CDT - 192.168.1.201 user1@A.DOMAIN.TLD > FATAL: GSSAPI > authentication > failed for user "user1@A.DOMAIN.TLD" > < 2017-09-09 19:50:55.023 CDT - 192.168.1.201 user1@A.DOMAIN.TLD > DETAIL: Connection > matched > pg_hba.conf line 87: "host all > all 192.168.1.0/24 <http://192.168.1.0/24> <http://192.168.1.0/24> > gss include_realm=1 map=testnet > krb_realm=A.DOMAIN.TLD" > > > Is this something that is possible, or is it something where I need to pick one way to > do it? > > > This looks like you are trying to connect with the actual username user1¡A.DOMAIN.TLD. > pg_ident only sets what you are allowed to log in as, not what it will attempt. > > If you are using psql, you are probably doing something like "psql -h myserver". You need to > add the user, so "psql -h myserver -U user1", to instruct it of which username to actually > use for the login. > > -- > Magnus Hagander > Me: https://www.hagander.net/ <http://www.hagander.net/> > Work: https://www.redpill-linpro.com/ <https://www.redpill-linpro.com/> > <http://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>> > > > Hi Magnus, > > Yes, the system username is "user1", per the default ipa-client-install SSSD setup, and the map > is working for that. Without the map, I have to specify the full Kerberos username, > user@DOMAIN.TLD, in the psql command. > > Works with map: > > $ psql -h db0 #Implied -U user1 -d user1 > $ psql -h db0 -U user1 -d user1 > > Does not work with map: > > $ psql -h db0 -U user1@A.DOMAIN.TLD -d user1 > > > If you want that to work with the map, then you need to change the map to add the domain, rather > than removing it, which is what you currently do. > > But it is hard to figure out what it is you actually want. You listed some cases that work and some > that don't, but haven't said which ones you want to work and which you want not to work. > (Presumably if you want **all** cases to work, you would just use 'trust' and be done with it.) > > GSSAPI is the authentication mechanism of choice, and it's working fine. Here is what I'm trying to accomplish. 'user1' == 'user1' and 'user1@A.DOMAIN.TLD' == 'user1'. From reading the docs, this is done via the pg_ident.conf file, and from reading the logs, there is a problem with my map. Hmm... Interesting thought. *testing* It sort of works. Setting the maps below maps the users straight across. 'user1' == 'user1' and 'user1@A.DOMAIN.TLD' == 'user1@A.DOMAIN.TLD', so it's partially working. pg_indent.conf: testnet /^([0-9A-Za-z_-]+)@A\.DOMAIN\.TLD$ \1 testnet /^([0-9A-Za-z_-]+)@A\.DOMAIN\.TLD$ \1@A.DOMAIN.TLD If it's not possible, that's fine. I'm just wondering if it can be done. I might be misunderstanding the docs or expecting too much. I'm not quite sure which it is, but it does seem like this should be possible. Let me know if I can clear anything else up. Ryan -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
pgsql-general by date: