psycopg2 and java gssapi questions
Is it possible to authenticate with Postgres from astandalone application using gssapi? In other words, I am able to authenticatewith Postgres when a human has logged in to either Windows or Linux andgenerated a ticket, but is it possible for say a Django site or Javaapplication running on some server somewhere to authenticate with Postgresusing gssapi? I realize that psycopg2 has a connection parameter for “krbsrvname”,but how does it generate a ticket? Is this the only alternative to secure authentication since Postgres does not support secure ldap (ldaps)?
Hello,
have a look at
https://www.postgresql.org/docs/current/static/auth-methods.html
There are details about LDAP and GSSAPI.
Show quoted text
On 20.12.2017 20:42, Mike Feld wrote:
Is it possible to authenticate with Postgres from a standalone
application using gssapi? In other words, I am able to authenticate with
Postgres when a human has logged in to either Windows or Linux and
generated a ticket, but is it possible for say a Django site or Java
application running on some server somewhere to authenticate with
Postgres using gssapi? I realize that psycopg2 has a connection
parameter for “krbsrvname”, but how does it generate a ticket? Is this
the only alternative to secure authentication since Postgres does not
support secure ldap (ldaps)?
This shows you how to setup GSSAPI authentication server side, which I have already done and have working. My question is from client side, without a human logged in to generate the ticket.
Show quoted text
Hello,
have a look at
https://www.postgresql.org/docs/current/static/auth-methods.html
There are details about LDAP and GSSAPI.
On 20.12.2017 20:42, Mike F wrote:
Is it possible to authenticate with Postgres from a standalone
application using gssapi? In other words, I am able to authenticate with
Postgres when a human has logged in to either Windows or Linux and
generated a ticket, but is it possible for say a Django site or Java
application running on some server somewhere to authenticate with
Postgres using gssapi? I realize that psycopg2 has a connection
parameter for “krbsrvname”, but how does it generate a ticket? Is this
the only alternative to secure authentication since Postgres does not
support secure ldap (ldaps)?
Import Notes
Resolved by subject fallback
On 20/12/2017 21:42, Mike Feld wrote:
Is this the only alternative to secure authentication since Postgres does not support secure ldap (ldaps)?
Have you checked out : |ldaptls||| parameter ? https://www.postgresql.org/docs/10/static/auth-methods.html#AUTH-LDAP
--
Achilleas Mantzios
IT DEV Lead
IT DEPT
Dynacom Tankers Mgmt
On Wed, Dec 20, 2017 at 8:42 PM, Mike Feld <m1f7@aol.com> wrote:
Is it possible to authenticate with Postgres from a standalone application
using gssapi? In other words, I am able to authenticate with Postgres when
a human has logged in to either Windows or Linux and generated a ticket,
but is it possible for say a Django site or Java application running on
some server somewhere to authenticate with Postgres using gssapi? I realize
that psycopg2 has a connection parameter for “krbsrvname”, but how does it
generate a ticket? Is this the only alternative to secure authentication
since Postgres does not support secure ldap (ldaps)?
Sure it is.
libpq won't generate the initial ticket, though. The way to do it is to
have your django or whatever application run "kinit" for the user before it
starts. This will request a TGT, and the ticket will be present in that
users environment, and will be used by the libpq client. (it might look
slightly different for a Java client, but the principle is the same)
--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/>
Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>
On 21 December 2017 at 05:27, Magnus Hagander <magnus@hagander.net> wrote:
On Wed, Dec 20, 2017 at 8:42 PM, Mike Feld <m1f7@aol.com> wrote:
Is it possible to authenticate with Postgres from a standalone
application using gssapi? In other words, I am able to authenticate with
Postgres when a human has logged in to either Windows or Linux and
generated a ticket, but is it possible for say a Django site or Java
application running on some server somewhere to authenticate with Postgres
using gssapi? I realize that psycopg2 has a connection parameter for
“krbsrvname”, but how does it generate a ticket? Is this the only
alternative to secure authentication since Postgres does not support secure
ldap (ldaps)?Sure it is.
libpq won't generate the initial ticket, though. The way to do it is to
have your django or whatever application run "kinit" for the user before it
starts. This will request a TGT, and the ticket will be present in that
users environment, and will be used by the libpq client. (it might look
slightly different for a Java client, but the principle is the same)
JDBC docs on GSSAPI can be found
https://jdbc.postgresql.org/documentation/head/connect.html
Dave Cramer
davec@postgresintl.com
www.postgresintl.com
Magnus, Mike,
* Magnus Hagander (magnus@hagander.net) wrote:
On Wed, Dec 20, 2017 at 8:42 PM, Mike Feld <m1f7@aol.com> wrote:
Is it possible to authenticate with Postgres from a standalone application
using gssapi? In other words, I am able to authenticate with Postgres when
a human has logged in to either Windows or Linux and generated a ticket,
but is it possible for say a Django site or Java application running on
some server somewhere to authenticate with Postgres using gssapi? I realize
that psycopg2 has a connection parameter for “krbsrvname”, but how does it
generate a ticket? Is this the only alternative to secure authentication
since Postgres does not support secure ldap (ldaps)?Sure it is.
Yup.
libpq won't generate the initial ticket, though. The way to do it is to
have your django or whatever application run "kinit" for the user before it
starts. This will request a TGT, and the ticket will be present in that
users environment, and will be used by the libpq client. (it might look
slightly different for a Java client, but the principle is the same)
You would actually want to use a keytab and then kstart/k5start to make
sure that you've always got a valid ticket. Just doing a kinit would
mean that the TGT will eventually expire and cause connections to fail.
Thanks!
Stephen
What about when the ticket expires? Are there any libraries that manage this for the application? Is this common practice by anyone?
Mike
-----Original Message-----
From: Dave Cramer <pg@fastcrypt.com>
To: Magnus Hagander <magnus@hagander.net>
Cc: Mike Feld <m1f7@aol.com>; pgsql-general <pgsql-general@lists.postgresql.org>
Sent: Thu, Dec 21, 2017 6:09 am
Subject: Re: psycopg2 and java gssapi questions
On 21 December 2017 at 05:27, Magnus Hagander <magnus@hagander.net> wrote:
On Wed, Dec 20, 2017 at 8:42 PM, Mike Feld <m1f7@aol.com> wrote:
Is it possible to authenticate with Postgres from astandalone application using gssapi? In other words, I am able to authenticatewith Postgres when a human has logged in to either Windows or Linux andgenerated a ticket, but is it possible for say a Django site or Javaapplication running on some server somewhere to authenticate with Postgresusing gssapi? I realize that psycopg2 has a connection parameter for “krbsrvname”,but how does it generate a ticket? Is this the only alternative to secure authentication since Postgres does not support secure ldap (ldaps)?
Sure it is.
libpq won't generate the initial ticket, though. The way to do it is to have your django or whatever application run "kinit" for the user before it starts. This will request a TGT, and the ticket will be present in that users environment, and will be used by the libpq client. (it might look slightly different for a Java client, but the principle is the same)
JDBC docs on GSSAPI can be found https://jdbc.postgresql.org/documentation/head/connect.html
Dave Cramer
davec@postgresintl.com
www.postgresintl.com