Re: LDAP Authentication - Mailing list pgsql-general

From Stephen Frost
Subject Re: LDAP Authentication
Date
Msg-id ZOioDzcR4Ke3CH3q@tamriel.snowman.net
Whole thread Raw
In response to Re: LDAP Authentication  (Dominique Devienne <ddevienne@gmail.com>)
Responses Re: LDAP Authentication
List pgsql-general
Greetings,

* Dominique Devienne (ddevienne@gmail.com) wrote:
> On Thu, Aug 24, 2023 at 10:07 PM Stephen Frost <sfrost@snowman.net> wrote:
> > * Emile Amewoto (emileam@yahoo.com) wrote:
> > > Here is the high level  process:
> > > 1- Create the user x without password in Postgres.
> > > 2- Assign  role or roles to the user x
> > > 3- Update pg_hba.conf with the ldap connection link.
> > >
> > > You might need cert for the ldap to connect to AD, assuming you are
> > using AD.
> >
> > If you're using AD, you should *really* be using Kerberos/gssapi for
> > your authentication and *not* LDAP.  LDAP is insecure as it involves
> > passing around the user's credentials which is extremely bad practice
> > and is strongly discouraged.  LDAP auth also involves in-line round
> > trips to the LDAP server which can delay or even fail database
> > connections in the event that the LDAP server is even temporarily
> > unavailable.

> But as part of a team that wants to hook PostgreSQL to the company's
> Windows AD, could you please
> provide more info on how to configure the alternative you suggest should be
> used instead?

https://www.crunchydata.com/blog/windows-active-directory-postgresql-gssapi-kerberos-authentication

> Are you saying AD already "speaks" Kerberos/GSSAPI, and instead of
> configuring LDAP in hba.conf,
> one should configure GSSAPI instead? As "simple" as that?

(just fyi- while they're not exactly the same, where I say 'Kerberos'
below, you can think of it as GSSAPI, Kerberos, or Kerberos/GSSAPI)

More-or-less.  Windows AD uses Kerberos/GSSAPI already for tons of
authentication- when you log into a AD connected system, that's
Kerberos, when you connect to an IIS site in an AD environment and
automatically get authenticated, that's Kerberos (and Negotiate to wrap
it, but still), when you connect to SQL Server, again, Kerberos.

The "pass-the-password" LDAP-based auth method is just about exclusively
used for 3rd-party non-Kerberos-speaking services.  When you have the
option to use Kerberos, you absolutely should.

> What about SSO? Can the local creds / token from the already-AD-connected
> local OS user be extracted,
> so the user doesn't need to supply any password, not even the AD-one?

Kerberos *is* the true SSO that you're looking for- when you sign into
any AD connected system (eg: your laptop), you get Kerberos credentials
(run 'klist' at a cmd prompt sometime..) and you don't have to provide
your password again for any Kerberos authentication until/unless your
Kerberos tickets (acquired when you logged into the laptop) expire.

With the LDAP auth method, the user has to provide their AD password on
every connection to authenticate, or worse, save their AD password for
connection in some local file so they don't have to type it in every
time.  That password is then also sent to the PG server on every
connection, meaning that if the PG server is compromised, the account of
every user who logs into that PG server is then also compromised- their
full AD account.

> Regarding your second point about availability of the LDAP server, isn't
> that normal to fail connecting
> when Auth cannot be ascertained / verified? Kerberos/GSSAPI somehow main
> some cache to avoid that?

Kerberos tickets are acquired from the AD when you log into your laptop.
Those tickets will have some lifetime (which you can configure, but
tends to be 8-10 hours or so).  When you connect to a Kerberos service,
the system will automatically reach out to the AD to obtain a ticket for
that service (eg, a PostgreSQL ticket, for your account) which will also
have a specific lifetime.  When you connect to PostgreSQL, the PG server
is able to verify your identity based on the ticket you present- the PG
server never has to reach out to the AD system for user authentication.
For as long as the PostgreSQL ticket that you acquired when you first
connected to the PG server is valid (again, typically 8-10 hours, but
you can configure it), the AD server is no longer involved and doesn't
need to be contacted, no matter how many subsequent connections you make
to the PG server.

Note that Kerberos is all about authentication- not about authorization.
There's a few different tools out there for sync'ing users from AD into
PostgreSQL and those can be used to manage who is authorized for a given
PG server, including removing their authorization in a relatively short
period of time if needed (more-or-less how often you feel like running
the sync'ing cronjob or such).  I do think it'd be pretty cool to
improve on that with a way for PG to reach out to an AD system and run a
query and then track the changes to that query (LDAP has support for
this kind of thing) which would make changes to, eg, group membership in
AD propagate to the PG server in pretty close to real-time.  Sadly, I'm
not aware of anyone actively working on that though.

> Given that caching is often more trouble than it's worth, how is that
> better? Naïve question, really. --DD

This one I find pretty curious given that cacheing is a very large part
of what PostgreSQL does and is certainly quite worth it. ;)

Thanks,

Stephen

Attachment

pgsql-general by date:

Previous
From: Durumdara
Date:
Subject: Role for just read the data + avoid CREATE / ALTER / DROP
Next
From: Thomas Kellerer
Date:
Subject: Re: Role for just read the data + avoid CREATE / ALTER / DROP