LDAP, single sign on from Windows client
Hi
I have a Linux server which is setup with authentication via LDAP against a
Windows A/D. In pg_hba I have
host ... ldap ldapserver=example.org ldapprefix="" ldapsuffix="@example.org"
The user is also created in PostgreSQL but without a password.
I can then login with psql from a Windows client with a user defined in the
AD.
But the problem is that psql asks for a password.
Is it possible to make a single sign-on without the password prompt?
The Linux (Ubuntu) has been joined to the domain with "realm" but it
doesn't seem to change anything.
best regards
Hans Schou
Greetings,
* chlor (hans.schou@gmail.com) wrote:
I have a Linux server which is setup with authentication via LDAP against a
Windows A/D. In pg_hba I have
host ... ldap ldapserver=example.org ldapprefix="" ldapsuffix="@example.org"The user is also created in PostgreSQL but without a password.
I can then login with psql from a Windows client with a user defined in the
AD.But the problem is that psql asks for a password.
Is it possible to make a single sign-on without the password prompt?
Yes, use GSSAPI based authentication instead of LDAP. Using GSSAPI is
also more secure and avoids sending the user's password to the PG
server.
PG Docs: https://www.postgresql.org/docs/current/gssapi-auth.html
Blog I wrote about setting it up:
https://blog.crunchydata.com/blog/windows-active-directory-postgresql-gssapi-kerberos-authentication
Thanks,
Stephen