Search Postgresql Archives

Re: pg_ident mapping Kerberos Usernames

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, Sep 10, 2017 at 11:25 AM, <techmail+pgsql@xxxxxxxxxxxxxxxxx> wrote:
On 09/10/2017 02:39 AM, Magnus Hagander wrote:
On Sat, Sep 9, 2017 at 6:44 PM, <techmail+pgsql@dangertoaster.com <mailto:techmail+pgsql@dangertoaster.com>> wrote:

    Hi,

    I'm trying to get pg_ident to map "user1" and "user1@xxxxxxxxxxxx" to "user1" in postgres, or
    vice versa. I'm not picky about which way works.

    Kerberos authentication works. I've gotten "user1" to login successfully with a Kerberos ticket,
    but I'm not able to get "user1@xxxxxxxxxxxx" to match.

    Environment:
    * PostgreSQL 9.6 from PostgreSQL repos
    * CentOS 7
    * FreeIPA for Kerberos, LDAP, etc.
    * Realm A.DOMAIN.TLD
    * "user1" database exists
    * "user1" role exists
    * Logging into CentOS usernames are configured to drop the domain, so they appear as "user1"
    rather then "user1@xxxxxxxxxxxx".


    pg_hba.conf:

    local   all             postgres                                peer
    host    all             all 127.0.0.1/32 <http://127.0.0.1/32>            md5
    host    all             all             ::1/128                 md5
    host    all             all 192.168.1.0/24 <http://192.168.1.0/24>          gss include_realm=1
    map=testnet krb_realm=A.DOMAIN.TLD #This is on one line. Thunderbird is truncating lines.


    pg_ident.conf:

    testnet    /^([0-9A-Za-z_-]+)@A\.DOMAIN\.TLD$    \1
    testnet    /^([0-9A-Za-z_-]+)$     \1


    Regex that works for both in regexr.com <http://regexr.com>:

    /^([0-9A-Za-z-_]+)(@A\.DOMAIN\.TLD)?$/gm


    Command and lines from pg_log:

    $ psql -h db0 # Logged in as user1 with Kerberos ticket

    < 2017-09-09 19:50:49.376 CDT - 192.168.1.201 [unknown] > LOG: connection received:
    host=192.168.1.201 port=44918
    < 2017-09-09 19:50:49.398 CDT - 192.168.1.201 user1 > LOG:  connection authorized: user=user1
    database=user1
    < 2017-09-09 19:50:50.912 CDT - 192.168.1.201 user1 > LOG: disconnection: session time:
    0:00:01.537 user=user1 database=user1 host=192.168.1.201 port=44918

    $ psql -h db0 -U user1@xxxxxxxxxxxx # Logged in as user1 with Kerberos ticket

    < 2017-09-09 19:50:54.959 CDT - 192.168.1.201 [unknown] > LOG: connection received:
    host=192.168.1.201 port=44920
    < 2017-09-09 19:50:55.023 CDT - 192.168.1.201 user1@xxxxxxxxxxxx > LOG: no match in usermap
    "testnet" for user "user1@xxxxxxxxxxxx" authenticated as "user1@xxxxxxxxxxxx"
    < 2017-09-09 19:50:55.023 CDT - 192.168.1.201 user1@xxxxxxxxxxxx > FATAL:  GSSAPI authentication
    failed for user "user1@xxxxxxxxxxxx"
    < 2017-09-09 19:50:55.023 CDT - 192.168.1.201 user1@xxxxxxxxxxxx > DETAIL:  Connection matched
    pg_hba.conf line 87: "host   all
             all 192.168.1.0/24 <http://192.168.1.0/24>          gss include_realm=1 map=testnet
    krb_realm=A.DOMAIN.TLD"


    Is this something that is possible, or is it something where I need to pick one way to do it?


This looks like you are trying to connect with the actual username user1¡A.DOMAIN.TLD. pg_ident only sets what you are allowed to log in as, not what it will attempt.

If you are using psql, you are probably doing something like "psql -h myserver". You need to add the user, so "psql -h myserver -U user1", to instruct it of which username to actually use for the login.

--
  Magnus Hagander
  Me: https://www.hagander.net/ <http://www.hagander.net/>
  Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>

Hi Magnus,

Yes, the system username is "user1", per the default ipa-client-install SSSD setup, and the map is working for that. Without the map, I have to specify the full Kerberos username, user@xxxxxxxxxx, in the psql command.

Works with map:

$ psql -h db0     #Implied -U user1 -d user1
$ psql -h db0 -U user1 -d user1

Does not work with map:

$ psql -h db0 -U user1@xxxxxxxxxxxx -d user1

If you want that to work with the map, then you need to change the map to add the domain, rather than removing it, which is what you currently do.

But it is hard to figure out what it is you actually want.  You listed some cases that work and some that don't, but haven't said which ones you want to work and which you want not to work.  (Presumably if you want **all** cases to work, you would just use 'trust' and be done with it.)



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Books]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]

  Powered by Linux