'Re: GSSAPI authentication on Redhat8 and PostgreSQL15/16'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       postgresql-admin
Subject:    Re: GSSAPI authentication on Redhat8 and PostgreSQL15/16
From:       Yee Yee ( 舒兰 <sweety.soul7 () gmail ! com>
Date:       2023-11-21 1:57:57
Message-ID: CAPiU01zjj9fffc7zJ5MWfqxh3Mi19VpPX_bU9=u4mGhoAuG9MA () mail ! gmail ! com
[Download RAW message or body]

Hi Stephen,

Good morning, and thanks for the clarification.
Apologies for top-posting on these lists; however, I was not able to find
the subscription for pgsql-admin@postgresql.org in the subscription list.
As a result, I replied to  the above email. I will start a new email thread
if I have any questions or doubts.

Regards,
Yee Yee

On Mon, Nov 20, 2023 at 7:53 PM Stephen Frost <sfrost@snowman.net> wrote:

> Greetings,
>
> Please don't top-post on these lists.
>
> On Mon, Nov 20, 2023 at 01:40 Yee Yee ( 舒兰） <sweety.soul7@gmail.com>
> wrote:
>
>> For item 5, I would like to confirm whether I need to apply both TLS/SSL
>> and GSSAPI authentication or if applying GSSAPI authentication alone is
>> sufficient.
>>
>
> This depends on what you're doing, exactly, and what your goals are. If
> you want encryption from a Windows client to a PG server then you'd
> probably want to use TLS/SSL to provide that encryption and then use GSSAPI
> for authentication.  You wouldn't be using TLS/SSL for the client's
> authentication, just for encryption.
>
> According to your post, do I only need to create one user 'pg1postgres'
>> and generate one keytab file with this user. After that, should I map all
>> the Windows users ( we have 200+ users) with 'pg1postgres' inside
>> pg_ident.conf?
>>
>
> You just need to have the one user in AD and the one keytab which you then
> transfer to the PG server.  That user in AD is essentially "the postgres
> server" it's not a regular user account.
>
> Once it's all set up, you need to create your regular user accounts in PG
> for those users who are allowed to log into the PG server. There are some
> tools out there to help with syncing user accounts and groups between PG
> and AD, eg: pg_ldap_sync:
>
> https://github.com/larskanis/pg-ldap-sync
>
> Thanks,
>
> Stephen
>

[Attachment #3 (text/html)]

<div dir="ltr"><div>Hi Stephen,</div><div><br></div><div>Good morning, and thanks for \
the clarification.  </div><div>Apologies for top-posting on these lists; however, I \
was not able to find the subscription for <a \
href="mailto:pgsql-admin@postgresql.org">pgsql-admin@postgresql.org</a> in the \
subscription list. As a result, I replied to   the above email. I will  start a new \
email thread if I have any questions or doubts.  \
</div><div><br></div><div>Regards,</div><div>Yee Yee</div></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Nov 20, 2023 at \
7:53 PM Stephen Frost &lt;<a href="mailto:sfrost@snowman.net" \
target="_blank">sfrost@snowman.net</a>&gt; wrote:<br></div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="auto">Greetings,</div><div \
dir="auto"><br></div><div dir="auto">Please don't top-post on these \
lists.</div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On \
Mon, Nov 20, 2023 at 01:40 Yee Yee ( 舒兰） &lt;<a \
href="mailto:sweety.soul7@gmail.com" target="_blank">sweety.soul7@gmail.com</a>&gt; \
wrote:</div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div \
dir="ltr"><div>For item 5, I would like to confirm whether I need to apply both  \
TLS/SSL and GSSAPI authentication or if applying GSSAPI authentication alone is \
sufficient.</div></div></blockquote><div dir="auto"><br></div><div dir="auto">This \
depends on what you're doing, exactly, and what your goals are. If you want \
encryption from a Windows client to a PG server then you'd probably want to use \
TLS/SSL to provide that encryption and then use GSSAPI for authentication.   You \
wouldn't be using TLS/SSL for the client's authentication, just for encryption.  \
</div><div dir="auto"><br></div><blockquote class="gmail_quote" style="margin:0px 0px \
0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div \
dir="ltr"><div dir="auto"></div><div>According  to your post, do I only need to \
create one user &#39;pg1postgres&#39; and generate one keytab file with this user. \
After that, should I map all the Windows users  ( we have  200+ users) with \
&#39;pg1postgres&#39; inside pg_ident.conf?  </div></div></blockquote><div \
dir="auto"><br></div><div dir="auto">You just need to have the one user in AD and the \
one keytab which you then transfer to the PG server.   That user in AD is essentially \
"the postgres server" it's not a regular user account.  </div><div \
dir="auto"><br></div><div dir="auto">Once it's all set up, you need to create your \
regular user accounts in PG for those users who are allowed to log into the PG \
server. There are some tools out there to help with syncing user accounts and groups \
between PG and AD, eg: pg_ldap_sync:  </div><div dir="auto"><br><div dir="auto"><a \
href="https://github.com/larskanis/pg-ldap-sync" \
target="_blank">https://github.com/larskanis/pg-ldap-sync</a></div><div \
dir="auto"><br></div><div dir="auto">Thanks,</div><div dir="auto"><br></div><div \
dir="auto">Stephen</div></div></div></div> </blockquote></div>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic