Thread: Windows SIngle Sign On - LINUX Server

Windows SIngle Sign On - LINUX Server

From
Jeremy Palmer
Date:
Hi All,

We are currently running PostgreSQL 8.4 on Windows server 2003 and are planning to move the instance to Ubuntu 10.4 -
yay!.At the same time we will also upgrade to 9.1. One nice features that we leverage from the windows configuration is
theability for windows clients to use AD SSO i.e SSPI. This was really easy to set-up and configure. 

If we move to Linux I was wondering if anyone could provide a howto reference or some tips on how to set-up auth
configurationto provide SSO to windows clients? I've read the GSSAPI/Kerberos authentication section of the docs, but
it'sstill unclear to me the exact process to follow. In particular what things would I need to configure on the Ubuntu
serverand which tasks will need to be done on the Windows domain controller (which is managed by a third party service
providerwho knows little about PostgreSQL or Ubuntu) 

We are using a WIndows server 2008 for the domain control. However I know little about it's setup or configuration, I
onlyknow it's our windows domain realm.  

Regards,
Jeremy
This message contains information, which is confidential and may be subject to legal privilege. If you are not the
intendedrecipient, you must not peruse, use, disseminate, distribute or copy this message. If you have received this
messagein error, please notify us immediately (Phone 0800 665 463 or info@linz.govt.nz) and destroy the original
message.LINZ accepts no responsibility for changes to this email, or for any attachments, after its transmission from
LINZ.Thank You. 


Re: Windows SIngle Sign On - LINUX Server

From
"SUNDAY A. OLUTAYO"
Date:
LDAP will be your best choice for SSO, Ubuntu Linux can authenticate against AD.

Also this is OS stuff not PostgreSQL, if you server is in production and you can not handle this migration,
it is advisable that you subscribe for support on Ubuntu from canonical


Thanks,

Sunday Olutayo





----- Original Message -----
From: "Jeremy Palmer" <JPalmer@linz.govt.nz>
To: pgsql-general@postgresql.org
Sent: Thursday, August 23, 2012 8:12:55 PM
Subject: [GENERAL] Windows SIngle Sign On - LINUX Server

Hi All,

We are currently running PostgreSQL 8.4 on Windows server 2003 and are planning to move the instance to Ubuntu 10.4 -
yay!.At the same time we will also upgrade to 9.1. One nice features that we leverage from the windows configuration is
theability for windows clients to use AD SSO i.e SSPI. This was really easy to set-up and configure. 

If we move to Linux I was wondering if anyone could provide a howto reference or some tips on how to set-up auth
configurationto provide SSO to windows clients? I've read the GSSAPI/Kerberos authentication section of the docs, but
it'sstill unclear to me the exact process to follow. In particular what things would I need to configure on the Ubuntu
serverand which tasks will need to be done on the Windows domain controller (which is managed by a third party service
providerwho knows little about PostgreSQL or Ubuntu) 

We are using a WIndows server 2008 for the domain control. However I know little about it's setup or configuration, I
onlyknow it's our windows domain realm.  

Regards,
Jeremy
This message contains information, which is confidential and may be subject to legal privilege. If you are not the
intendedrecipient, you must not peruse, use, disseminate, distribute or copy this message. If you have received this
messagein error, please notify us immediately (Phone 0800 665 463 or info@linz.govt.nz) and destroy the original
message.LINZ accepts no responsibility for changes to this email, or for any attachments, after its transmission from
LINZ.Thank You. 


--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general


Re: Windows SIngle Sign On - LINUX Server

From
Craig Ringer
Date:
On 08/24/2012 06:10 PM, SUNDAY A. OLUTAYO wrote:
> LDAP will be your best choice for SSO, Ubuntu Linux can authenticate against AD.

I'm not at all convinced by that. Active Directory functions as a
Kerberos KDC. Kerberos provides secure authentication and (unlike LDAP)
single sign-on.

http://technet.microsoft.com/en-us/library/bb742516.aspx

Use Kerberos via GSSAPI. Here's a good starting point by Marcus:

http://www.hagander.net/talks/Deploying%20PostgreSQL%20in%20a%20Windows%20Enterprise.pdf

--
Craig Ringer


Re: Windows SIngle Sign On - LINUX Server

From
"SUNDAY A. OLUTAYO"
Date:
In real world deployment, LDAP and Kerbero are often combined for authentication and authorization.

The link below is a well documented howto:

https://help.ubuntu.com/community/SingleSignOn


Thanks,

Sunday Olutayo


----- Original Message -----
From: "Craig Ringer" <ringerc@ringerc.id.au>
To: "SUNDAY A. OLUTAYO" <olutayo@sadeeb.com>
Cc: "Jeremy Palmer" <JPalmer@linz.govt.nz>, pgsql-general@postgresql.org
Sent: Friday, August 24, 2012 12:48:01 PM
Subject: Re: [GENERAL] Windows SIngle Sign On - LINUX Server

On 08/24/2012 06:10 PM, SUNDAY A. OLUTAYO wrote:
> LDAP will be your best choice for SSO, Ubuntu Linux can authenticate against AD.

I'm not at all convinced by that. Active Directory functions as a
Kerberos KDC. Kerberos provides secure authentication and (unlike LDAP)
single sign-on.

http://technet.microsoft.com/en-us/library/bb742516.aspx

Use Kerberos via GSSAPI. Here's a good starting point by Marcus:

http://www.hagander.net/talks/Deploying%20PostgreSQL%20in%20a%20Windows%20Enterprise.pdf

--
Craig Ringer


Re: Windows SIngle Sign On - LINUX Server

From
Jeremy Palmer
Date:
Marcus' guide looks great.

So what's the pros/cons of using the Kerberos via GSSAPI method, rather than going for the SingleSignOn method
mentionedby Sunday?  
________________________________________
From: SUNDAY A. OLUTAYO [olutayo@sadeeb.com]
Sent: Saturday, 25 August 2012 12:00 a.m.
To: Craig Ringer
Cc: Jeremy Palmer; pgsql-general@postgresql.org
Subject: Re: [GENERAL] Windows SIngle Sign On - LINUX Server

In real world deployment, LDAP and Kerbero are often combined for authentication and authorization.

The link below is a well documented howto:

https://help.ubuntu.com/community/SingleSignOn


Thanks,

Sunday Olutayo


----- Original Message -----
From: "Craig Ringer" <ringerc@ringerc.id.au>
To: "SUNDAY A. OLUTAYO" <olutayo@sadeeb.com>
Cc: "Jeremy Palmer" <JPalmer@linz.govt.nz>, pgsql-general@postgresql.org
Sent: Friday, August 24, 2012 12:48:01 PM
Subject: Re: [GENERAL] Windows SIngle Sign On - LINUX Server

On 08/24/2012 06:10 PM, SUNDAY A. OLUTAYO wrote:
> LDAP will be your best choice for SSO, Ubuntu Linux can authenticate against AD.

I'm not at all convinced by that. Active Directory functions as a
Kerberos KDC. Kerberos provides secure authentication and (unlike LDAP)
single sign-on.

http://technet.microsoft.com/en-us/library/bb742516.aspx

Use Kerberos via GSSAPI. Here's a good starting point by Marcus:

http://www.hagander.net/talks/Deploying%20PostgreSQL%20in%20a%20Windows%20Enterprise.pdf

--
Craig Ringer
This message contains information, which is confidential and may be subject to legal privilege. If you are not the
intendedrecipient, you must not peruse, use, disseminate, distribute or copy this message. If you have received this
messagein error, please notify us immediately (Phone 0800 665 463 or info@linz.govt.nz) and destroy the original
message.LINZ accepts no responsibility for changes to this email, or for any attachments, after its transmission from
LINZ.Thank You. 


Re: Windows SIngle Sign On - LINUX Server

From
Craig Ringer
Date:
On 08/25/2012 04:29 AM, Jeremy Palmer wrote:
> Marcus' guide looks great.
>
> So what's the pros/cons of using the Kerberos via GSSAPI method, rather than going for the SingleSignOn method
mentionedby Sunday? 

The method on the Ubuntu wiki applies to the host OS as a whole.

Pg will still need to know how to auth users. It's possible this'll work
via the "pam" authentication method on a system configured to auth users
against AD+LDAP or against Kerberos. I haven't tried. If so, that
approach is probably fine.


Re: Windows SIngle Sign On - LINUX Server

From
Chris Travers
Date:


On Fri, Aug 24, 2012 at 1:29 PM, Jeremy Palmer <JPalmer@linz.govt.nz> wrote:
Marcus' guide looks great.

So what's the pros/cons of using the Kerberos via GSSAPI method, rather than going for the SingleSignOn method mentioned by Sunday?

Cons:

More complicated to set up.

There are a few odd things about AD and Kerberos that take some getting used to.  For example iirc, systems get keys rather than services, so your keytab ends up showing identical keys for every service on a machine 

Pros:

Far more secure

True single-sign-on (users do not have to enter passwords). 

Unlike LDAP does not require degrading DC security.

I would honestly go with GSSAPI.

It's not quite the same thing but a paper I wrote (published by Microsoft!) is likely to be helpful here:


The paper discusses using kerberized authentication for OpenSSH against AD.  In principle, PostgreSQL should be relatively similar.  The paper may be of help here.

Best Wishes,
Chris Travers