Académique Documents
Professionnel Documents
Culture Documents
Magnus Hagander
magnus@hagander.net
PGCon 2008
Ottawa, Canada May 2008
Agenda
Definition Installation Active
Directory
Authentication
WEB
4
Clients
Clients
Agenda
Definition Installation Active
Directory
Authentication
Installation
MSI
installer Integrates with existing products Installs all dependencies Create account, sets permissions Supports silent install Server only, Server+client, Client only
Installation
xcopy
Well,
account, permissions
build
Agenda
Definition Installation Active
Directory
Authentication
10
authentication
Fat
clients
apps usually uses password to db
Web
Very
11
12
trivial
13
only
14
Kerberos 101
Cross
platform, standards-based, secure, distributed authentication Shared secrets between hosts Maintained and controlled by KDC Trusted tickets Single sign-on
15
Kerberos 101
1. Logi n 2. Tick e t-grant reques t T)
ing-tick
Client
KDC
et (TG
Server
16
Kerberos 101
5. Ticket request P OSTGRE S@ FO O
6. Ticket P
OSTGRE
S@FOO
Client
KDC
t icke t cc ros be 3. A et Ker ick t s uire st w q ue . Re 4 req ss cce 7. A
ess
t ues req
Server
17
Kerberos 101
5. Ticket request P OSTGRE S@ FO O
6. Ticket P
OSTGRE
S@FOO
Client
KDC
t icke t cc ros be 3. A et Ker ick t s uire st w q ue . Re 4 req ss cce 7. A
ess
t ues req
Server
18
Kerberos first!
/etc/krb5.conf
with kinit/klist
administrator@DOMAIN.COM
20
required build packages ./configure --with-gssapi Build + install as usual Initdb as usual
21
22
ktpass -princ POSTGRES/lab83.domain.com@DOMAIN.COM -crypto DES-CBC-MD5 -mapuser lab83 -pass FooBar991 -out postgres.keytab
23
account is mapped
24
side principal name Environment: PGKRBSRVNAME Connection string: krbsrvname Needed on both Windows and Unix
26
side principal name Environment: PGKRBSRVNAME Connection string: krbsrvname Needed on both Windows and Unix
27
LDAP Authentication
For
clients that don't support GSS/SSPI If you actually want passwords Looks like password prompt to client pg_hba.conf
host all all 0.0.0.0/0 ldap ldap://dc.domain.com/dc=domain,dc=com;DOMAIN\
28
Agenda
Definition Installation Active
Directory
Authentication
29
Access AD data
dblink-ldap
(pgfoundry) Build from source only Create VIEWs of LDAP data Read-only
30
Access AD data
CREATE VIEW users AS SELECT * FROM dblink_ldap( 'dc.domain.com', 'CN=Users, DC=domain, DC=com', E'DOMAIN\\User', 'password', '(objectClass=user)', 'distinguishedName,cn,displayName') t(dn, cn, displayName)
31
Access AD data
postgres=# SELECT * FROM users; dn CN=mha,CN=Users,DC=domain,DC=com (2 rows) | | mha cn | displayname ----------------------------------------------------------------------------| Magnus Hagander CN=Administrator,CN=Users,DC=domain,DC=com | Administrator | Admin
32
Agenda
Definition Installation Active
Directory
Authentication
33
Monitoring
Performance
34
Future directions
schannel
35
Thank you!
Questions?
36