Thread: Re: Linux Postgres authentication against active directory
> Hi to all, > > Actually I try to authenticate my Linux Postgres installation > against Active Directory, I find 3 solution to use: > > 1) LDAP > 2) Pam and Kerberos > 3) Kerberos alone (3) is the one I've been using, and it works very well. I've been working on a HOWTO, but it' snot done yet. Note that if your clients are on win32, you need at least version 8.0.2. > For the 2 kerberos solution I don't find to much > documentation, I try to compile postgres with kerberos using > this configure flag: > > --with-krb5=/usr/ > --with-includes=/usr/include/ > --with-libraries=/usr/lib/ > > My kerberos installation is in > /usr/bin and /usr/sbin for the binary > /usr/lib/ libkrb5.* e > libk5crypto.so > and libkadm5 > /usr/include/ krb5.h heaser file > > But seems that I miss something because when I put the krb5 > word in the pg_hba.conf and I try to connect the system give > me the error: For AD to do proper interop, the SPN has to be in uppercase. For this you need to recompile postgresql using --with-krbsrvnam=POSTGRES on both client and server. (You will be able to change this at runtime in 8.1) Naturally you will have to recreate the service account in AD with the proper SPN. //Magnus
Hi, thanks for the answer.
Below my comment
> -----Messaggio originale-----
> Da: Magnus Hagander [mailto:mha@sollentuna.net]
> Inviato: venerdì 12 agosto 2005 12.56
> A: Ronzani Dario; pgsql-general@postgresql.org
> Oggetto: RE: [GENERAL] Linux Postgres authentication against
> active directory
>
>
> > Hi to all,
> >
> > Actually I try to authenticate my Linux Postgres installation
> > against Active Directory, I find 3 solution to use:
> >
> > 1) LDAP
> > 2) Pam and Kerberos
> > 3) Kerberos alone
>
> (3) is the one I've been using, and it works very well. I've
> been working on a HOWTO, but it' snot done yet.
>
> Note that if your clients are on win32, you need at least
> version 8.0.2.
Great to know that someone are able to use this solution, I don't have any
client my application is a web (php, java) application with a request for AD
(or ldap depend on the customer) users authentication.
>
>
> > For the 2 kerberos solution I don't find to much
> > documentation, I try to compile postgres with kerberos using
> > this configure flag:
> >
> > --with-krb5=/usr/
> > --with-includes=/usr/include/
> > --with-libraries=/usr/lib/
> >
> > My kerberos installation is in
> > /usr/bin and /usr/sbin for the binary
> > /usr/lib/ libkrb5.* e
> > libk5crypto.so
> > and libkadm5
> > /usr/include/ krb5.h heaser file
> >
> > But seems that I miss something because when I put the krb5
> > word in the pg_hba.conf and I try to connect the system give
> > me the error:
>
> For AD to do proper interop, the SPN has to be in uppercase.
> For this you need to recompile postgresql using
> --with-krbsrvnam=POSTGRES on both client and server. (You
> will be able to change this at runtime in 8.1)
>
> Naturally you will have to recreate the service account in AD
> with the proper SPN.
My fear is that I have misunderstood how kerberes work, I understand that I
must to kerberize the postgres application to give it the access to AD, then
I need to put a principal to any user that need to authenticate?
This is my principal on the linux box, as you say (I think) I create this
principal in uppercase:
ktutil: rkt /usr/etc/postgresql/krb5.keytab
ktutil: list
slot KVNO Principal
---- ----
---------------------------------------------------------------------
1 3 POSTGRES/onet003@OWORD.LOCAL
2 3 RONZANID/onet003@OWORD.LOCAL
May be my problem was related with this compilation line?
checking for library containing com_err... -lkrb5
checking for library containing krb5_encrypt... none required
checking for library containing krb5_sendauth... none required
checking krb5.h usability... yes
checking krb5.h presence... yes
checking for krb5.h... yes
checking for krb5_ticket.enc_part2... yes
checking for krb5_error.text.data... yes
Particularly I refer to krb5_encrypt and krb5_sendauth.
With more debug I received this error when I try to authenticate.
postgres: Bad application version was sent (via sendauth) from
krb5_recvauth
Thanks Dario
>
>
> //Magnus
>
> > > Actually I try to authenticate my Linux Postgres installation > > > against Active Directory, I find 3 solution to use: > > > > > > 1) LDAP > > > 2) Pam and Kerberos > > > 3) Kerberos alone > > > > (3) is the one I've been using, and it works very well. I've been > > working on a HOWTO, but it' snot done yet. > > > > Note that if your clients are on win32, you need at least version > > 8.0.2. > > Great to know that someone are able to use this solution, I > don't have any client my application is a web (php, java) > application with a request for AD (or ldap depend on the > customer) users authentication. The easiest way around that is to authenticate the user to the webserver, and then use a single account to connect to the database (or a couple, depending on group membership, or whatever suits your app). > > Naturally you will have to recreate the service account in > AD with the > > proper SPN. > > My fear is that I have misunderstood how kerberes work, I > understand that I must to kerberize the postgres application > to give it the access to AD, then I need to put a principal > to any user that need to authenticate? No, you do not need to kerberize postgres to access AD. If you want to "check ad passwords", it's porbably best to use LDAP. Kerberos is used to achieve *single sign on*. Meaning your app never sees the password. If this is not what you need, it's overly complex. Any user who needs to authenticate needs a principal, yes. That's their normal Windows account. On top of that, every *service* the user should authenticate *to* also needs a principal - for mutual authentication. If your client connects to your wbserver only, your webserver needs this principal. If the clients connects to the database server, the database server needs it. There is apparantly some way if you use mod_perl to forward kerberos credentials from the webserver to the database server, but I don't know any details about that. But again, if you intend to provide a userid/password box to the user and then authenticate those credentials, it's going to be a lot easier to use for example LDAP. You can, of course, use kerberos between your webserver and the database server, but that's most likely an overkill as you'll only be able to access it as a single user anyway (I think). > This is my principal on the linux box, as you say (I think) I > create this principal in uppercase: > > ktutil: rkt /usr/etc/postgresql/krb5.keytab > ktutil: list > slot KVNO Principal > ---- ---- > --------------------------------------------------------------------- > 1 3 POSTGRES/onet003@OWORD.LOCAL > 2 3 RONZANID/onet003@OWORD.LOCAL The postgres keytab only needs the POSTGRES principal. The other is your user (I assume), and it sohuld not be stored *anywhere* - only transitent whlie you are logged in. > May be my problem was related with this compilation line? > > checking for library containing com_err... -lkrb5 > checking for library containing krb5_encrypt... none required > checking for library containing krb5_sendauth... none required > checking krb5.h usability... yes > checking krb5.h presence... yes > checking for krb5.h... yes > checking for krb5_ticket.enc_part2... yes > checking for krb5_error.text.data... yes > > Particularly I refer to krb5_encrypt and krb5_sendauth. No, that looks correct. It jus tmeans that they were found in the krb5 library, and no *additional* libraries are needed. If you were missing the rquired libs, you'd get an error and not just a notice. > With more debug I received this error when I try to authenticate. > > postgres: Bad application version was sent (via > sendauth) from krb5_recvauth That probably indicates that your server has a different principal name than the client (libpq library). //Magnus
Finaly I follow your suggestion, I use ldap and seems to work (for now). Thanks for your help dario > -----Messaggio originale----- > Da: pgsql-general-owner@postgresql.org > [mailto:pgsql-general-owner@postgresql.org] Per conto di > Magnus Hagander > Inviato: lunedì 15 agosto 2005 21.01 > A: Ronzani Dario; pgsql-general@postgresql.org > Oggetto: Re: [GENERAL] Linux Postgres authentication against > active directory > > > > > > Actually I try to authenticate my Linux Postgres installation > > > > against Active Directory, I find 3 solution to use: > > > > > > > > 1) LDAP > > > > 2) Pam and Kerberos > > > > 3) Kerberos alone > > > > > > (3) is the one I've been using, and it works very well. I've been > > > working on a HOWTO, but it' snot done yet. > > > > > > Note that if your clients are on win32, you need at least version > > > 8.0.2. > > > > Great to know that someone are able to use this solution, I > > don't have any client my application is a web (php, java) > > application with a request for AD (or ldap depend on the > > customer) users authentication. > > The easiest way around that is to authenticate the user to > the webserver, and then use a single account to connect to > the database (or a couple, depending on group membership, or > whatever suits your app). > > > > > Naturally you will have to recreate the service account in > > AD with the > > > proper SPN. > > > > My fear is that I have misunderstood how kerberes work, I > > understand that I must to kerberize the postgres application > > to give it the access to AD, then I need to put a principal > > to any user that need to authenticate? > > No, you do not need to kerberize postgres to access AD. If > you want to "check ad passwords", it's porbably best to use LDAP. > > Kerberos is used to achieve *single sign on*. Meaning your > app never sees the password. If this is not what you need, > it's overly complex. > > Any user who needs to authenticate needs a principal, yes. > That's their normal Windows account. On top of that, every > *service* the user should authenticate *to* also needs a > principal - for mutual authentication. > > If your client connects to your wbserver only, your webserver > needs this principal. If the clients connects to the database > server, the database server needs it. There is apparantly > some way if you use mod_perl to forward kerberos credentials > from the webserver to the database server, but I don't know > any details about that. > > But again, if you intend to provide a userid/password box to > the user and then authenticate those credentials, it's going > to be a lot easier to use for example LDAP. > > You can, of course, use kerberos between your webserver and > the database server, but that's most likely an overkill as > you'll only be able to access it as a single user anyway (I think). > > > > This is my principal on the linux box, as you say (I think) I > > create this principal in uppercase: > > > > ktutil: rkt /usr/etc/postgresql/krb5.keytab > > ktutil: list > > slot KVNO Principal > > ---- ---- > > > --------------------------------------------------------------------- > > 1 3 POSTGRES/onet003@OWORD.LOCAL > > 2 3 RONZANID/onet003@OWORD.LOCAL > > The postgres keytab only needs the POSTGRES principal. The > other is your user (I assume), and it sohuld not be stored > *anywhere* - only transitent whlie you are logged in. > > > > May be my problem was related with this compilation line? > > > > checking for library containing com_err... -lkrb5 > > checking for library containing krb5_encrypt... none required > > checking for library containing krb5_sendauth... none required > > checking krb5.h usability... yes > > checking krb5.h presence... yes > > checking for krb5.h... yes > > checking for krb5_ticket.enc_part2... yes > > checking for krb5_error.text.data... yes > > > > Particularly I refer to krb5_encrypt and krb5_sendauth. > > No, that looks correct. It jus tmeans that they were found in > the krb5 library, and no *additional* libraries are needed. > If you were missing the rquired libs, you'd get an error and > not just a notice. > > > > With more debug I received this error when I try to authenticate. > > > > postgres: Bad application version was sent (via > > sendauth) from krb5_recvauth > > That probably indicates that your server has a different > principal name than the client (libpq library). > > > //Magnus > > ---------------------------(end of > broadcast)--------------------------- > TIP 3: Have you checked our extensive FAQ? > > http://www.postgresql.org/docs/faq >