Re: User Authentication: LDAP and "local" accounts concurrently ?

----- Am 23. Nov 2018 um 22:44 schrieb Stephen Frost sfrost(at)snowman(dot)net:

> No, Kerberos/GSSAPI *never* transmits the user's password to the server.
> The user's password is actually used as an encryption key and is known
> only to the KDC (your domain controllers) and the user. The KDC and the
> PG server then share a different encryption key (the service principal).
> When the user wants to connect to PG they ask the KDC for a ticket which
> the KDC returns to the user as a blob which contains some information
> for the PG server encrypted with the PG server's key and then encrypts
> that and sends it to the user, who then decrypts it and uses it to
> connect to the PG server.
>
> How all of that works is a bit complicated but thankfully you don't
> really need to worry about that- Windows and Active Directory handle
> almost all of it. All you need to do is create a service principal in
> active directory for the PG server and then export it and copy it over
> to the PG server and then enable gssapi in PG.
>
> Thanks!
>
> Stephen

Hi Stephen,

thanks again for your answer. Does my client application (geneious, a bioinfromatic tool)
have to support Kerberos in any way ?

Bernd

Helmholtz Zentrum Muenchen
Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH)
Ingolstaedter Landstr. 1
85764 Neuherberg
www.helmholtz-muenchen.de
Aufsichtsratsvorsitzende: MinDirig.in Petra Steiner-Hoffmann
Stellv.Aufsichtsratsvorsitzender: MinDirig. Dr. Manfred Wolter
Geschaeftsfuehrer: Prof. Dr. med. Dr. h.c. Matthias Tschoep, Heinrich Bassler, Dr. rer. nat. Alfons Enhsen
Registergericht: Amtsgericht Muenchen HRB 6466
USt-IdNr: DE 129521671