Windows SIngle Sign On - LINUX Server
Hi All,
We are currently running PostgreSQL 8.4 on Windows server 2003 and are planning to move the instance to Ubuntu 10.4 - yay!. At the same time we will also upgrade to 9.1. One nice features that we leverage from the windows configuration is the ability for windows clients to use AD SSO i.e SSPI. This was really easy to set-up and configure.
If we move to Linux I was wondering if anyone could provide a howto reference or some tips on how to set-up auth configuration to provide SSO to windows clients? I've read the GSSAPI/Kerberos authentication section of the docs, but it's still unclear to me the exact process to follow. In particular what things would I need to configure on the Ubuntu server and which tasks will need to be done on the Windows domain controller (which is managed by a third party service provider who knows little about PostgreSQL or Ubuntu)
We are using a WIndows server 2008 for the domain control. However I know little about it's setup or configuration, I only know it's our windows domain realm.
Regards,
Jeremy
This message contains information, which is confidential and may be subject to legal privilege. If you are not the intended recipient, you must not peruse, use, disseminate, distribute or copy this message. If you have received this message in error, please notify us immediately (Phone 0800 665 463 or info@linz.govt.nz) and destroy the original message. LINZ accepts no responsibility for changes to this email, or for any attachments, after its transmission from LINZ. Thank You.
LDAP will be your best choice for SSO, Ubuntu Linux can authenticate against AD.
Also this is OS stuff not PostgreSQL, if you server is in production and you can not handle this migration,
it is advisable that you subscribe for support on Ubuntu from canonical
Thanks,
Sunday Olutayo
----- Original Message -----
From: "Jeremy Palmer" <JPalmer@linz.govt.nz>
To: pgsql-general@postgresql.org
Sent: Thursday, August 23, 2012 8:12:55 PM
Subject: [GENERAL] Windows SIngle Sign On - LINUX Server
Hi All,
We are currently running PostgreSQL 8.4 on Windows server 2003 and are planning to move the instance to Ubuntu 10.4 - yay!. At the same time we will also upgrade to 9.1. One nice features that we leverage from the windows configuration is the ability for windows clients to use AD SSO i.e SSPI. This was really easy to set-up and configure.
If we move to Linux I was wondering if anyone could provide a howto reference or some tips on how to set-up auth configuration to provide SSO to windows clients? I've read the GSSAPI/Kerberos authentication section of the docs, but it's still unclear to me the exact process to follow. In particular what things would I need to configure on the Ubuntu server and which tasks will need to be done on the Windows domain controller (which is managed by a third party service provider who knows little about PostgreSQL or Ubuntu)
We are using a WIndows server 2008 for the domain control. However I know little about it's setup or configuration, I only know it's our windows domain realm.
Regards,
Jeremy
This message contains information, which is confidential and may be subject to legal privilege. If you are not the intended recipient, you must not peruse, use, disseminate, distribute or copy this message. If you have received this message in error, please notify us immediately (Phone 0800 665 463 or info@linz.govt.nz) and destroy the original message. LINZ accepts no responsibility for changes to this email, or for any attachments, after its transmission from LINZ. Thank You.
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
On 08/24/2012 06:10 PM, SUNDAY A. OLUTAYO wrote:
LDAP will be your best choice for SSO, Ubuntu Linux can authenticate against AD.
I'm not at all convinced by that. Active Directory functions as a
Kerberos KDC. Kerberos provides secure authentication and (unlike LDAP)
single sign-on.
http://technet.microsoft.com/en-us/library/bb742516.aspx
Use Kerberos via GSSAPI. Here's a good starting point by Marcus:
http://www.hagander.net/talks/Deploying%20PostgreSQL%20in%20a%20Windows%20Enterprise.pdf
--
Craig Ringer
In real world deployment, LDAP and Kerbero are often combined for authentication and authorization.
The link below is a well documented howto:
https://help.ubuntu.com/community/SingleSignOn
Thanks,
Sunday Olutayo
----- Original Message -----
From: "Craig Ringer" <ringerc@ringerc.id.au>
To: "SUNDAY A. OLUTAYO" <olutayo@sadeeb.com>
Cc: "Jeremy Palmer" <JPalmer@linz.govt.nz>, pgsql-general@postgresql.org
Sent: Friday, August 24, 2012 12:48:01 PM
Subject: Re: [GENERAL] Windows SIngle Sign On - LINUX Server
On 08/24/2012 06:10 PM, SUNDAY A. OLUTAYO wrote:
LDAP will be your best choice for SSO, Ubuntu Linux can authenticate against AD.
I'm not at all convinced by that. Active Directory functions as a
Kerberos KDC. Kerberos provides secure authentication and (unlike LDAP)
single sign-on.
http://technet.microsoft.com/en-us/library/bb742516.aspx
Use Kerberos via GSSAPI. Here's a good starting point by Marcus:
http://www.hagander.net/talks/Deploying%20PostgreSQL%20in%20a%20Windows%20Enterprise.pdf
--
Craig Ringer
Marcus' guide looks great.
So what's the pros/cons of using the Kerberos via GSSAPI method, rather than going for the SingleSignOn method mentioned by Sunday?
________________________________________
From: SUNDAY A. OLUTAYO [olutayo@sadeeb.com]
Sent: Saturday, 25 August 2012 12:00 a.m.
To: Craig Ringer
Cc: Jeremy Palmer; pgsql-general@postgresql.org
Subject: Re: [GENERAL] Windows SIngle Sign On - LINUX Server
In real world deployment, LDAP and Kerbero are often combined for authentication and authorization.
The link below is a well documented howto:
https://help.ubuntu.com/community/SingleSignOn
Thanks,
Sunday Olutayo
----- Original Message -----
From: "Craig Ringer" <ringerc@ringerc.id.au>
To: "SUNDAY A. OLUTAYO" <olutayo@sadeeb.com>
Cc: "Jeremy Palmer" <JPalmer@linz.govt.nz>, pgsql-general@postgresql.org
Sent: Friday, August 24, 2012 12:48:01 PM
Subject: Re: [GENERAL] Windows SIngle Sign On - LINUX Server
On 08/24/2012 06:10 PM, SUNDAY A. OLUTAYO wrote:
LDAP will be your best choice for SSO, Ubuntu Linux can authenticate against AD.
I'm not at all convinced by that. Active Directory functions as a
Kerberos KDC. Kerberos provides secure authentication and (unlike LDAP)
single sign-on.
http://technet.microsoft.com/en-us/library/bb742516.aspx
Use Kerberos via GSSAPI. Here's a good starting point by Marcus:
http://www.hagander.net/talks/Deploying%20PostgreSQL%20in%20a%20Windows%20Enterprise.pdf
--
Craig Ringer
This message contains information, which is confidential and may be subject to legal privilege. If you are not the intended recipient, you must not peruse, use, disseminate, distribute or copy this message. If you have received this message in error, please notify us immediately (Phone 0800 665 463 or info@linz.govt.nz) and destroy the original message. LINZ accepts no responsibility for changes to this email, or for any attachments, after its transmission from LINZ. Thank You.
On 08/25/2012 04:29 AM, Jeremy Palmer wrote:
Marcus' guide looks great.
So what's the pros/cons of using the Kerberos via GSSAPI method, rather than going for the SingleSignOn method mentioned by Sunday?
The method on the Ubuntu wiki applies to the host OS as a whole.
Pg will still need to know how to auth users. It's possible this'll work
via the "pam" authentication method on a system configured to auth users
against AD+LDAP or against Kerberos. I haven't tried. If so, that
approach is probably fine.
On Fri, Aug 24, 2012 at 1:29 PM, Jeremy Palmer <JPalmer@linz.govt.nz> wrote:
Marcus' guide looks great.
So what's the pros/cons of using the Kerberos via GSSAPI method, rather
than going for the SingleSignOn method mentioned by Sunday?Cons:
More complicated to set up.
There are a few odd things about AD and Kerberos that take some getting
used to. For example iirc, systems get keys rather than services, so your
keytab ends up showing identical keys for every service on a machine
Pros:
Far more secure
True single-sign-on (users do not have to enter passwords).
Unlike LDAP does not require degrading DC security.
I would honestly go with GSSAPI.
It's not quite the same thing but a paper I wrote (published by Microsoft!)
is likely to be helpful here:
The paper discusses using kerberized authentication for OpenSSH against AD.
In principle, PostgreSQL should be relatively similar. The paper may be
of help here.
Best Wishes,
Chris Travers