Thread: Windows SIngle Sign On - LINUX Server
Hi All, We are currently running PostgreSQL 8.4 on Windows server 2003 and are planning to move the instance to Ubuntu 10.4 - yay!.At the same time we will also upgrade to 9.1. One nice features that we leverage from the windows configuration is theability for windows clients to use AD SSO i.e SSPI. This was really easy to set-up and configure. If we move to Linux I was wondering if anyone could provide a howto reference or some tips on how to set-up auth configurationto provide SSO to windows clients? I've read the GSSAPI/Kerberos authentication section of the docs, but it'sstill unclear to me the exact process to follow. In particular what things would I need to configure on the Ubuntu serverand which tasks will need to be done on the Windows domain controller (which is managed by a third party service providerwho knows little about PostgreSQL or Ubuntu) We are using a WIndows server 2008 for the domain control. However I know little about it's setup or configuration, I onlyknow it's our windows domain realm. Regards, Jeremy This message contains information, which is confidential and may be subject to legal privilege. If you are not the intendedrecipient, you must not peruse, use, disseminate, distribute or copy this message. If you have received this messagein error, please notify us immediately (Phone 0800 665 463 or info@linz.govt.nz) and destroy the original message.LINZ accepts no responsibility for changes to this email, or for any attachments, after its transmission from LINZ.Thank You.
LDAP will be your best choice for SSO, Ubuntu Linux can authenticate against AD. Also this is OS stuff not PostgreSQL, if you server is in production and you can not handle this migration, it is advisable that you subscribe for support on Ubuntu from canonical Thanks, Sunday Olutayo ----- Original Message ----- From: "Jeremy Palmer" <JPalmer@linz.govt.nz> To: pgsql-general@postgresql.org Sent: Thursday, August 23, 2012 8:12:55 PM Subject: [GENERAL] Windows SIngle Sign On - LINUX Server Hi All, We are currently running PostgreSQL 8.4 on Windows server 2003 and are planning to move the instance to Ubuntu 10.4 - yay!.At the same time we will also upgrade to 9.1. One nice features that we leverage from the windows configuration is theability for windows clients to use AD SSO i.e SSPI. This was really easy to set-up and configure. If we move to Linux I was wondering if anyone could provide a howto reference or some tips on how to set-up auth configurationto provide SSO to windows clients? I've read the GSSAPI/Kerberos authentication section of the docs, but it'sstill unclear to me the exact process to follow. In particular what things would I need to configure on the Ubuntu serverand which tasks will need to be done on the Windows domain controller (which is managed by a third party service providerwho knows little about PostgreSQL or Ubuntu) We are using a WIndows server 2008 for the domain control. However I know little about it's setup or configuration, I onlyknow it's our windows domain realm. Regards, Jeremy This message contains information, which is confidential and may be subject to legal privilege. If you are not the intendedrecipient, you must not peruse, use, disseminate, distribute or copy this message. If you have received this messagein error, please notify us immediately (Phone 0800 665 463 or info@linz.govt.nz) and destroy the original message.LINZ accepts no responsibility for changes to this email, or for any attachments, after its transmission from LINZ.Thank You. -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
On 08/24/2012 06:10 PM, SUNDAY A. OLUTAYO wrote: > LDAP will be your best choice for SSO, Ubuntu Linux can authenticate against AD. I'm not at all convinced by that. Active Directory functions as a Kerberos KDC. Kerberos provides secure authentication and (unlike LDAP) single sign-on. http://technet.microsoft.com/en-us/library/bb742516.aspx Use Kerberos via GSSAPI. Here's a good starting point by Marcus: http://www.hagander.net/talks/Deploying%20PostgreSQL%20in%20a%20Windows%20Enterprise.pdf -- Craig Ringer
In real world deployment, LDAP and Kerbero are often combined for authentication and authorization. The link below is a well documented howto: https://help.ubuntu.com/community/SingleSignOn Thanks, Sunday Olutayo ----- Original Message ----- From: "Craig Ringer" <ringerc@ringerc.id.au> To: "SUNDAY A. OLUTAYO" <olutayo@sadeeb.com> Cc: "Jeremy Palmer" <JPalmer@linz.govt.nz>, pgsql-general@postgresql.org Sent: Friday, August 24, 2012 12:48:01 PM Subject: Re: [GENERAL] Windows SIngle Sign On - LINUX Server On 08/24/2012 06:10 PM, SUNDAY A. OLUTAYO wrote: > LDAP will be your best choice for SSO, Ubuntu Linux can authenticate against AD. I'm not at all convinced by that. Active Directory functions as a Kerberos KDC. Kerberos provides secure authentication and (unlike LDAP) single sign-on. http://technet.microsoft.com/en-us/library/bb742516.aspx Use Kerberos via GSSAPI. Here's a good starting point by Marcus: http://www.hagander.net/talks/Deploying%20PostgreSQL%20in%20a%20Windows%20Enterprise.pdf -- Craig Ringer
Marcus' guide looks great. So what's the pros/cons of using the Kerberos via GSSAPI method, rather than going for the SingleSignOn method mentionedby Sunday? ________________________________________ From: SUNDAY A. OLUTAYO [olutayo@sadeeb.com] Sent: Saturday, 25 August 2012 12:00 a.m. To: Craig Ringer Cc: Jeremy Palmer; pgsql-general@postgresql.org Subject: Re: [GENERAL] Windows SIngle Sign On - LINUX Server In real world deployment, LDAP and Kerbero are often combined for authentication and authorization. The link below is a well documented howto: https://help.ubuntu.com/community/SingleSignOn Thanks, Sunday Olutayo ----- Original Message ----- From: "Craig Ringer" <ringerc@ringerc.id.au> To: "SUNDAY A. OLUTAYO" <olutayo@sadeeb.com> Cc: "Jeremy Palmer" <JPalmer@linz.govt.nz>, pgsql-general@postgresql.org Sent: Friday, August 24, 2012 12:48:01 PM Subject: Re: [GENERAL] Windows SIngle Sign On - LINUX Server On 08/24/2012 06:10 PM, SUNDAY A. OLUTAYO wrote: > LDAP will be your best choice for SSO, Ubuntu Linux can authenticate against AD. I'm not at all convinced by that. Active Directory functions as a Kerberos KDC. Kerberos provides secure authentication and (unlike LDAP) single sign-on. http://technet.microsoft.com/en-us/library/bb742516.aspx Use Kerberos via GSSAPI. Here's a good starting point by Marcus: http://www.hagander.net/talks/Deploying%20PostgreSQL%20in%20a%20Windows%20Enterprise.pdf -- Craig Ringer This message contains information, which is confidential and may be subject to legal privilege. If you are not the intendedrecipient, you must not peruse, use, disseminate, distribute or copy this message. If you have received this messagein error, please notify us immediately (Phone 0800 665 463 or info@linz.govt.nz) and destroy the original message.LINZ accepts no responsibility for changes to this email, or for any attachments, after its transmission from LINZ.Thank You.
On 08/25/2012 04:29 AM, Jeremy Palmer wrote: > Marcus' guide looks great. > > So what's the pros/cons of using the Kerberos via GSSAPI method, rather than going for the SingleSignOn method mentionedby Sunday? The method on the Ubuntu wiki applies to the host OS as a whole. Pg will still need to know how to auth users. It's possible this'll work via the "pam" authentication method on a system configured to auth users against AD+LDAP or against Kerberos. I haven't tried. If so, that approach is probably fine.
On Fri, Aug 24, 2012 at 1:29 PM, Jeremy Palmer <JPalmer@linz.govt.nz> wrote:
Marcus' guide looks great.
So what's the pros/cons of using the Kerberos via GSSAPI method, rather than going for the SingleSignOn method mentioned by Sunday?
Cons:
More complicated to set up.
There are a few odd things about AD and Kerberos that take some getting used to. For example iirc, systems get keys rather than services, so your keytab ends up showing identical keys for every service on a machine
Pros:
Far more secure
True single-sign-on (users do not have to enter passwords).
Unlike LDAP does not require degrading DC security.
I would honestly go with GSSAPI.
It's not quite the same thing but a paper I wrote (published by Microsoft!) is likely to be helpful here:
The paper discusses using kerberized authentication for OpenSSH against AD. In principle, PostgreSQL should be relatively similar. The paper may be of help here.
Best Wishes,
Chris Travers