Hi, thanks for the answer. Below my comment > -----Messaggio originale----- > Da: Magnus Hagander [mailto:mha@xxxxxxxxxxxxxx] > Inviato: venerdì 12 agosto 2005 12.56 > A: Ronzani Dario; pgsql-general@xxxxxxxxxxxxxx > Oggetto: RE: Linux Postgres authentication against > active directory > > > > Hi to all, > > > > Actually I try to authenticate my Linux Postgres installation > > against Active Directory, I find 3 solution to use: > > > > 1) LDAP > > 2) Pam and Kerberos > > 3) Kerberos alone > > (3) is the one I've been using, and it works very well. I've > been working on a HOWTO, but it' snot done yet. > > Note that if your clients are on win32, you need at least > version 8.0.2. Great to know that someone are able to use this solution, I don't have any client my application is a web (php, java) application with a request for AD (or ldap depend on the customer) users authentication. > > > > For the 2 kerberos solution I don't find to much > > documentation, I try to compile postgres with kerberos using > > this configure flag: > > > > --with-krb5=/usr/ > > --with-includes=/usr/include/ > > --with-libraries=/usr/lib/ > > > > My kerberos installation is in > > /usr/bin and /usr/sbin for the binary > > /usr/lib/ libkrb5.* e > > libk5crypto.so > > and libkadm5 > > /usr/include/ krb5.h heaser file > > > > But seems that I miss something because when I put the krb5 > > word in the pg_hba.conf and I try to connect the system give > > me the error: > > For AD to do proper interop, the SPN has to be in uppercase. > For this you need to recompile postgresql using > --with-krbsrvnam=POSTGRES on both client and server. (You > will be able to change this at runtime in 8.1) > > Naturally you will have to recreate the service account in AD > with the proper SPN. My fear is that I have misunderstood how kerberes work, I understand that I must to kerberize the postgres application to give it the access to AD, then I need to put a principal to any user that need to authenticate? This is my principal on the linux box, as you say (I think) I create this principal in uppercase: ktutil: rkt /usr/etc/postgresql/krb5.keytab ktutil: list slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 3 POSTGRES/onet003@xxxxxxxxxxx 2 3 RONZANID/onet003@xxxxxxxxxxx May be my problem was related with this compilation line? checking for library containing com_err... -lkrb5 checking for library containing krb5_encrypt... none required checking for library containing krb5_sendauth... none required checking krb5.h usability... yes checking krb5.h presence... yes checking for krb5.h... yes checking for krb5_ticket.enc_part2... yes checking for krb5_error.text.data... yes Particularly I refer to krb5_encrypt and krb5_sendauth. With more debug I received this error when I try to authenticate. postgres: Bad application version was sent (via sendauth) from krb5_recvauth Thanks Dario > > > //Magnus > ---------------------------(end of broadcast)--------------------------- TIP 3: Have you checked our extensive FAQ? http://www.postgresql.org/docs/faq
