From: | "Lentes, Bernd" <bernd(dot)lentes(at)helmholtz-muenchen(dot)de> |
---|---|
To: | pgsql-admin <pgsql-admin(at)lists(dot)postgresql(dot)org> |
Subject: | Re: User Authentication: LDAP and "local" accounts concurrently ? |
Date: | 2018-11-24 19:54:19 |
Message-ID: | 347994919.21311413.1543089259209.JavaMail.zimbra@helmholtz-muenchen.de |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-admin |
----- Am 23. Nov 2018 um 22:44 schrieb Stephen Frost sfrost(at)snowman(dot)net:
> No, Kerberos/GSSAPI *never* transmits the user's password to the server.
> The user's password is actually used as an encryption key and is known
> only to the KDC (your domain controllers) and the user. The KDC and the
> PG server then share a different encryption key (the service principal).
> When the user wants to connect to PG they ask the KDC for a ticket which
> the KDC returns to the user as a blob which contains some information
> for the PG server encrypted with the PG server's key and then encrypts
> that and sends it to the user, who then decrypts it and uses it to
> connect to the PG server.
>
> How all of that works is a bit complicated but thankfully you don't
> really need to worry about that- Windows and Active Directory handle
> almost all of it. All you need to do is create a service principal in
> active directory for the PG server and then export it and copy it over
> to the PG server and then enable gssapi in PG.
>
> Thanks!
>
> Stephen
Hi Stephen,
thanks again for your answer. Does my client application (geneious, a bioinfromatic tool)
have to support Kerberos in any way ?
Bernd
Helmholtz Zentrum Muenchen
Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH)
Ingolstaedter Landstr. 1
85764 Neuherberg
www.helmholtz-muenchen.de
Aufsichtsratsvorsitzende: MinDirig.in Petra Steiner-Hoffmann
Stellv.Aufsichtsratsvorsitzender: MinDirig. Dr. Manfred Wolter
Geschaeftsfuehrer: Prof. Dr. med. Dr. h.c. Matthias Tschoep, Heinrich Bassler, Dr. rer. nat. Alfons Enhsen
Registergericht: Amtsgericht Muenchen HRB 6466
USt-IdNr: DE 129521671
From | Date | Subject | |
---|---|---|---|
Next Message | Stephen Frost | 2018-11-24 20:08:01 | Re: User Authentication: LDAP and "local" accounts concurrently ? |
Previous Message | Anne Marie Harm | 2018-11-24 19:32:14 | Re: could not connect to server, in order to operate pgAdmin/PostgreSQL |