Thread: Windows SIngle Sign On - LINUX Server

Hi All,

We are currently running PostgreSQL 8.4 on Windows server 2003 and are planning to move the instance to Ubuntu 10.4 -
yay!.At the same time we will also upgrade to 9.1. One nice features that we leverage from the windows configuration is
theability for windows clients to use AD SSO i.e SSPI. This was really easy to set-up and configure. 

If we move to Linux I was wondering if anyone could provide a howto reference or some tips on how to set-up auth
configurationto provide SSO to windows clients? I've read the GSSAPI/Kerberos authentication section of the docs, but
it'sstill unclear to me the exact process to follow. In particular what things would I need to configure on the Ubuntu
serverand which tasks will need to be done on the Windows domain controller (which is managed by a third party service
providerwho knows little about PostgreSQL or Ubuntu) 

We are using a WIndows server 2008 for the domain control. However I know little about it's setup or configuration, I
onlyknow it's our windows domain realm.  

Regards,
Jeremy
This message contains information, which is confidential and may be subject to legal privilege. If you are not the
intendedrecipient, you must not peruse, use, disseminate, distribute or copy this message. If you have received this
messagein error, please notify us immediately (Phone 0800 665 463 or info@linz.govt.nz) and destroy the original
message.LINZ accepts no responsibility for changes to this email, or for any attachments, after its transmission from
LINZ.Thank You. 

LDAP will be your best choice for SSO, Ubuntu Linux can authenticate against AD.

Also this is OS stuff not PostgreSQL, if you server is in production and you can not handle this migration,
it is advisable that you subscribe for support on Ubuntu from canonical


Thanks,

Sunday Olutayo





----- Original Message -----
From: "Jeremy Palmer" <JPalmer@linz.govt.nz>
To: pgsql-general@postgresql.org
Sent: Thursday, August 23, 2012 8:12:55 PM
Subject: [GENERAL] Windows SIngle Sign On - LINUX Server

Hi All,

We are currently running PostgreSQL 8.4 on Windows server 2003 and are planning to move the instance to Ubuntu 10.4 -
yay!.At the same time we will also upgrade to 9.1. One nice features that we leverage from the windows configuration is
theability for windows clients to use AD SSO i.e SSPI. This was really easy to set-up and configure. 

If we move to Linux I was wondering if anyone could provide a howto reference or some tips on how to set-up auth
configurationto provide SSO to windows clients? I've read the GSSAPI/Kerberos authentication section of the docs, but
it'sstill unclear to me the exact process to follow. In particular what things would I need to configure on the Ubuntu
serverand which tasks will need to be done on the Windows domain controller (which is managed by a third party service
providerwho knows little about PostgreSQL or Ubuntu) 

We are using a WIndows server 2008 for the domain control. However I know little about it's setup or configuration, I
onlyknow it's our windows domain realm.  

Regards,
Jeremy
This message contains information, which is confidential and may be subject to legal privilege. If you are not the
intendedrecipient, you must not peruse, use, disseminate, distribute or copy this message. If you have received this
messagein error, please notify us immediately (Phone 0800 665 463 or info@linz.govt.nz) and destroy the original
message.LINZ accepts no responsibility for changes to this email, or for any attachments, after its transmission from
LINZ.Thank You. 


--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

On 08/24/2012 06:10 PM, SUNDAY A. OLUTAYO wrote:
> LDAP will be your best choice for SSO, Ubuntu Linux can authenticate against AD.

I'm not at all convinced by that. Active Directory functions as a
Kerberos KDC. Kerberos provides secure authentication and (unlike LDAP)
single sign-on.

http://technet.microsoft.com/en-us/library/bb742516.aspx

Use Kerberos via GSSAPI. Here's a good starting point by Marcus:

http://www.hagander.net/talks/Deploying%20PostgreSQL%20in%20a%20Windows%20Enterprise.pdf

--
Craig Ringer

In real world deployment, LDAP and Kerbero are often combined for authentication and authorization.

The link below is a well documented howto:

https://help.ubuntu.com/community/SingleSignOn


Thanks,

Sunday Olutayo


----- Original Message -----
From: "Craig Ringer" <ringerc@ringerc.id.au>
To: "SUNDAY A. OLUTAYO" <olutayo@sadeeb.com>
Cc: "Jeremy Palmer" <JPalmer@linz.govt.nz>, pgsql-general@postgresql.org
Sent: Friday, August 24, 2012 12:48:01 PM
Subject: Re: [GENERAL] Windows SIngle Sign On - LINUX Server

On 08/24/2012 06:10 PM, SUNDAY A. OLUTAYO wrote:
> LDAP will be your best choice for SSO, Ubuntu Linux can authenticate against AD.

I'm not at all convinced by that. Active Directory functions as a
Kerberos KDC. Kerberos provides secure authentication and (unlike LDAP)
single sign-on.

http://technet.microsoft.com/en-us/library/bb742516.aspx

Use Kerberos via GSSAPI. Here's a good starting point by Marcus:

http://www.hagander.net/talks/Deploying%20PostgreSQL%20in%20a%20Windows%20Enterprise.pdf

--
Craig Ringer

Marcus' guide looks great.

So what's the pros/cons of using the Kerberos via GSSAPI method, rather than going for the SingleSignOn method
mentionedby Sunday?  
________________________________________
From: SUNDAY A. OLUTAYO [olutayo@sadeeb.com]
Sent: Saturday, 25 August 2012 12:00 a.m.
To: Craig Ringer
Cc: Jeremy Palmer; pgsql-general@postgresql.org
Subject: Re: [GENERAL] Windows SIngle Sign On - LINUX Server

In real world deployment, LDAP and Kerbero are often combined for authentication and authorization.

The link below is a well documented howto:

https://help.ubuntu.com/community/SingleSignOn


Thanks,

Sunday Olutayo


----- Original Message -----
From: "Craig Ringer" <ringerc@ringerc.id.au>
To: "SUNDAY A. OLUTAYO" <olutayo@sadeeb.com>
Cc: "Jeremy Palmer" <JPalmer@linz.govt.nz>, pgsql-general@postgresql.org
Sent: Friday, August 24, 2012 12:48:01 PM
Subject: Re: [GENERAL] Windows SIngle Sign On - LINUX Server

On 08/24/2012 06:10 PM, SUNDAY A. OLUTAYO wrote:
> LDAP will be your best choice for SSO, Ubuntu Linux can authenticate against AD.

I'm not at all convinced by that. Active Directory functions as a
Kerberos KDC. Kerberos provides secure authentication and (unlike LDAP)
single sign-on.

http://technet.microsoft.com/en-us/library/bb742516.aspx

Use Kerberos via GSSAPI. Here's a good starting point by Marcus:

http://www.hagander.net/talks/Deploying%20PostgreSQL%20in%20a%20Windows%20Enterprise.pdf

--
Craig Ringer
This message contains information, which is confidential and may be subject to legal privilege. If you are not the
intendedrecipient, you must not peruse, use, disseminate, distribute or copy this message. If you have received this
messagein error, please notify us immediately (Phone 0800 665 463 or info@linz.govt.nz) and destroy the original
message.LINZ accepts no responsibility for changes to this email, or for any attachments, after its transmission from
LINZ.Thank You. 

On 08/25/2012 04:29 AM, Jeremy Palmer wrote:
> Marcus' guide looks great.
>
> So what's the pros/cons of using the Kerberos via GSSAPI method, rather than going for the SingleSignOn method
mentionedby Sunday? 

The method on the Ubuntu wiki applies to the host OS as a whole.

Pg will still need to know how to auth users. It's possible this'll work
via the "pam" authentication method on a system configured to auth users
against AD+LDAP or against Kerberos. I haven't tried. If so, that
approach is probably fine.