HPE Community
Operating System - HP-UX
1753814 Members
7847 Online
108805 Solutions
New Discussion юеВ

Active Directory authentication to a Postgres database

 
Andrew Kaplan
Super Advisor

тАО12-16-2011 11:03 AM

тАО12-16-2011 11:03 AM

Active Directory authentication to a Postgres database

Hi there --

I am going through the motions of setting up Active Directory authentication to a Postgres, 8.1.3, database. The database is a package that was installed onto an HP-UX 11.11 server. The server itself is an NIS master server while the Active Directory environment is running in Windows 2008 mode.

I have downloaded documentation that contains the steps that are involved with this procedure. The URL that contains this information is the following:

 

http://wiki.postgresql.org/wiki/LDAP_Authentication_against_AD

 

One of the steps involved with the procedure involves modifying files within the /etc/openldap folder. I had two questions concerning this:

1. Is it a prerequisite to have openldap installed on the server in order for AD authentication to the database to be possible?

2. Can the server in question be a Master NIS as well as LDAP server simultaneously?

Thanks.

 



A Journey In The Quest Of Knowledge
0 Kudos
Reply
2 REPLIES 2
Matti_Kurkela
Honored Contributor

тАО12-18-2011 01:39 PM

тАО12-18-2011 01:39 PM

Re: Active Directory authentication to a Postgres database

1.) If Postgres needs a compile-time option to use LDAP, that suggests it's using OpenLDAP libraries for its LDAP client functions. Therefore, you would need to have at least the library/client parts of OpenLDAP installed. Even if OpenLDAP has been packaged in such a fashion that it would be impossible or inconvenient to separate the LDAP client and server functionalities, I don't see why you should actually run the LDAP server daemon to have Postgres act as a client for a remote LDAP/AD server.

 

2.) There is no technical reason why not.

 

Remember, even though LDAP is often used for authentication, it is by no means the only possible use for a LDAP server. Like Postgres is a general-purpose database, OpenLDAP server is a general-purpose directory server. It becomes an authentication server only when you set up a suitable directory schema, populate it with authentication information and then tell other systems to use that particular LDAP server for authentication... and none of these things are required steps when installing OpenLDAP.

 

If you choose to use the LDAP server to provide the same sort of information NIS does (perhaps because you want a multi-protocol authentication server), the question you should be asking is "How do I make sure the NIS and LDAP stay in sync?" - for it definitely won't happen automatically.

 

MK
0 Kudos
Reply
Andrew Kaplan
Super Advisor

тАО12-19-2011 10:25 AM

тАО12-19-2011 10:25 AM

Re: Active Directory authentication to a Postgres database

Hi there --

 

Thanks for your reply. I will see if the library/client parts of OpenLDAP are installed on the server. If they are not, I will go over what is involved with installing them, and verify that doing so will not prove to be problematic to the server or general operations.

 

I did some further investigating, and according to an article that I read, there are three methods available for the authentication:  Kerberos, native LDAP, and pam_ldap. According to the article the preferred authentication method is native LDAP because of its proven track-record. The Kerberos approach has the advantage of having an already domain user being able to access the database without having to re-enter his/her password. The problem here is it is not supported by JBDE or .NET architectures. The pam_ldap approach did not get much in positive feedback.

 

Admittedly this article was written in 2006, so the problem with Kerberos may have been resolved since that time. Do you have any opinion as to which of the three approaches might be best here?

 

Thanks.

A Journey In The Quest Of Knowledge
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.