Hi Stephen,
Good morning, and thanks for the clarification.
Apologies for top-posting on these lists; however, I was not able to find the subscription for pgsql-admin@xxxxxxxxxxxxxx in the subscription list. As a result, I replied to the above email. I will start a new email thread if I have any questions or doubts.
Regards,
Yee Yee
On Mon, Nov 20, 2023 at 7:53 PM Stephen Frost <sfrost@xxxxxxxxxxx> wrote:
Greetings,Please don’t top-post on these lists.On Mon, Nov 20, 2023 at 01:40 Yee Yee ( 舒兰) <sweety.soul7@xxxxxxxxx> wrote:For item 5, I would like to confirm whether I need to apply both TLS/SSL and GSSAPI authentication or if applying GSSAPI authentication alone is sufficient.This depends on what you’re doing, exactly, and what your goals are. If you want encryption from a Windows client to a PG server then you’d probably want to use TLS/SSL to provide that encryption and then use GSSAPI for authentication. You wouldn’t be using TLS/SSL for the client’s authentication, just for encryption.According to your post, do I only need to create one user 'pg1postgres' and generate one keytab file with this user. After that, should I map all the Windows users ( we have 200+ users) with 'pg1postgres' inside pg_ident.conf?You just need to have the one user in AD and the one keytab which you then transfer to the PG server. That user in AD is essentially “the postgres server” it’s not a regular user account.Once it’s all set up, you need to create your regular user accounts in PG for those users who are allowed to log into the PG server. There are some tools out there to help with syncing user accounts and groups between PG and AD, eg: pg_ldap_sync:
