Magnus, Mike, * Magnus Hagander (magnus@xxxxxxxxxxxx) wrote: > On Wed, Dec 20, 2017 at 8:42 PM, Mike Feld <m1f7@xxxxxxx> wrote: > > > Is it possible to authenticate with Postgres from a standalone application > > using gssapi? In other words, I am able to authenticate with Postgres when > > a human has logged in to either Windows or Linux and generated a ticket, > > but is it possible for say a Django site or Java application running on > > some server somewhere to authenticate with Postgres using gssapi? I realize > > that psycopg2 has a connection parameter for “krbsrvname”, but how does it > > generate a ticket? Is this the only alternative to secure authentication > > since Postgres does not support secure ldap (ldaps)? > > Sure it is. Yup. > libpq won't generate the initial ticket, though. The way to do it is to > have your django or whatever application run "kinit" for the user before it > starts. This will request a TGT, and the ticket will be present in that > users environment, and will be used by the libpq client. (it might look > slightly different for a Java client, but the principle is the same) You would actually want to use a keytab and then kstart/k5start to make sure that you've always got a valid ticket. Just doing a kinit would mean that the TGT will eventually expire and cause connections to fail. Thanks! Stephen
Attachment:
signature.asc
Description: Digital signature
