Re: User Authentication: LDAP and "local" accounts concurrently ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Greetings,

* Lentes, Bernd (bernd.lentes@xxxxxxxxxxxxxxxxxxxxx) wrote:
> ----- Am 23. Nov 2018 um 22:44 schrieb Stephen Frost sfrost@xxxxxxxxxxx:
> > No, Kerberos/GSSAPI *never* transmits the user's password to the server.
> > The user's password is actually used as an encryption key and is known
> > only to the KDC (your domain controllers) and the user.  The KDC and the
> > PG server then share a different encryption key (the service principal).
> > When the user wants to connect to PG they ask the KDC for a ticket which
> > the KDC returns to the user as a blob which contains some information
> > for the PG server encrypted with the PG server's key and then encrypts
> > that and sends it to the user, who then decrypts it and uses it to
> > connect to the PG server.
> > 
> > How all of that works is a bit complicated but thankfully you don't
> > really need to worry about that- Windows and Active Directory handle
> > almost all of it.  All you need to do is create a service principal in
> > active directory for the PG server and then export it and copy it over
> > to the PG server and then enable gssapi in PG.
> 
> thanks again for your answer. Does my client application (geneious, a bioinfromatic tool)
> have to support Kerberos in any way ?

Yes, but it might already have it, depending on what library is being
used to talk to PostgreSQL.  The C library interface for PG, libpq, for
example, supports Kerberos and just has to be built with it (which most
versions you'll find have been).  If the application is JDBC and uses
the PostgreSQL JDBC driver, that also supports Kerberos.  If the
application is written in another language like Perl or Python and is
using the common libraries for those (DBD::Pg, psycopg2), which use
libpq underneath, then it depends on the way that version of libpq was
built, but, again, most of the libpq builds out there support Kerberos.

I don't know anything about geneious, but hopefully it's using libpq or
JDBC in some fashion and already has Kerberos support thanks to those
libraries having it.

Thanks!

Stephen

Attachment: signature.asc
Description: PGP signature


[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux