From abd8a2c4599e574f0c6a5e01cb26df95f1052145 Mon Sep 17 00:00:00 2001 From: Paul Trowbridge Date: Thu, 23 Aug 2018 13:34:03 -0400 Subject: [PATCH] active directory --- AD convo.md | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 AD convo.md diff --git a/AD convo.md b/AD convo.md new file mode 100644 index 0000000..7bd20b0 --- /dev/null +++ b/AD convo.md @@ -0,0 +1,37 @@ +[mailing_list](https://www.postgresql.org/message-id/flat/CAHq%2BKHJOvZT8M-o_sE%2BQzqqBGnUjNubWo_rRmpHZyw5ZUuaseg%40mail.gmail.com) + + +wouldn't that be Pg authing against the OS (pam) which in turn is forwarding to krb5? which seems like an extra added step + +sfrost [11:11 AM] +it's basically this: +ktpass -out postgres.keytab -princ +POSTGRES/centos(at)MY(dot)TESTDOMAIN(dot)LAN -mapUser enterprisedb -pass XXXXXX +-crypto DES-CBC-MD5 +(except adjusted a bit to make it not use a shitty crypto) +you use ktpass to create your keytab file +copy the keytab file to the Linux box + +arossouw [11:12 AM] +Seems like effort, i'll just play dumb on that one + +sfrost [11:12 AM] +oh, gotta fix the princ too or whatever +but it's not that hard +and you might have to configure the realms, but not necessairly (that info is often in DNS already) +then you just tell PG where the keytab file is, set gssapi in PG's hba.conf, and create your users using their princ names, like 'sfrost@SNOWMAN.NET' + +dtseiler [11:13 AM] +I’m with @hunleyd, I’d love to see a great howto post on that. + +arossouw [11:14 AM] +I suppose the question is what is the advantage of using kerberos, and then deciding if its worth spending time on + +sfrost [11:14 AM] +I just wrote it +^^^ see above +also wrote the advantage... + + +hunleyd [11:14 AM] +maybe i'll try this as a 10% project some day \ No newline at end of file