Hi,
I’m new to PostgreSQL. I installed PostgreSQL on a Windows Server 2008 R2 server. I have created a database and an user in Windows Active Directory. How can I configure that user to access that database?
Thanks.
By default, Windows users and PostgreSQL users are completely separate.Hi,
I’m new to PostgreSQL. I installed PostgreSQL on a Windows Server 2008 R2 server. I have created a database and an user in Windows Active Directory. How can I configure that user to access that database?
According to http://www.postgresql.org/docs/9.1/static/auth-methods.html, SSPI only works when GSSAPI is available and GSSAPI support has to be enabled when PostgreSQL is built. Does it mean that I need to uninstall PostgreSQL and reinstall it with GSSAPI support? I used the One click installer downloaded from http://www.postgresql.org/download/windows to install PostgreSQL and I’m not sure how to include GSSAPI support.
From: Craig Ringer [mailto:ringerc <at> ringerc.id.au]
Sent: Tuesday, June 12, 2012 1:11 AM
To: Peter Cheung
Cc: 'pgsql-admin <at> postgresql.org'
Subject: Re: [ADMIN] How to setup PostgreSQL using Windows Authentication?
On 06/12/2012 10:00 AM, Peter Cheung wrote:
Hi,
I’m new to PostgreSQL. I installed PostgreSQL on a Windows Server 2008 R2 server. I have created a database and an user in Windows Active Directory. How can I configure that user to access that database?
By default, Windows users and PostgreSQL users are completely separate.
Use PgAdmin-III to create the user, or a "CREATE USER" command in psql. See
http://www.postgresql.org/docs/9.1/static/user-manag.html
It is also possible to use SSPI authentication with PostgreSQL, so PostgreSQL authenticates users against Active Directory. I haven't used it myself. The user must still be created in PostgreSQL, SSPI just takes care of authenticating them using their Windows
credentials. See:
http://www.postgresql.org/docs/9.1/static/auth-methods.html
--
Craig Ringer
According to http://www.postgresql.org/docs/9.1/static/auth-methods.html, SSPI only works when GSSAPI is available and GSSAPI support has to be enabled when PostgreSQL is built. Does it mean that I need to uninstall PostgreSQL and reinstall it with GSSAPI support? I used the One click installer downloaded from http://www.postgresql.org/download/windows to install PostgreSQL and I’m not sure how to include GSSAPI support.
On Jun 13, 2012 4:21 AM, "Craig Ringer" <ringerc <at> ringerc.id.au> wrote:
>
> On 06/13/2012 02:37 AM, Peter Cheung wrote:
>>
>> According to http://www.postgresql.org/docs/9.1/static/auth-methods.html, SSPI only works when GSSAPI is available and GSSAPI support has to be enabled when PostgreSQL is built. Does it mean that I need to uninstall PostgreSQL and reinstall it with GSSAPI support? I used the One click installer downloaded from http://www.postgresql.org/download/windows to install PostgreSQL and I’m not sure how to include GSSAPI support.
>
>
> While I haven't used it myself, I'd be amazed if the one-click installer's version of Pg wasn't built with GSSAPI and SSPI support. You shouldn't have to do anything.
Gssapi is *not* required on windows. Sspi support is always available on windows. Gssapi is only required to use Sspi on non-windows platforms.
Perhaps that sentence in the docs need to be changed to be more clear?
/Magnus
* Peter Cheung wrote:
> I’m new to PostgreSQL. I installed PostgreSQL on a Windows Server 2008
> R2 server. I have created a database and an user in Windows Active
> Directory. How can I configure that user to access that database?
The one-click installer (assuming you used that) left you with
PostgreSQL running under a local account named "postgres". First, you
have to change that, because SSPI requires that the service uses a
domain account:
1. Create a user account in your domain.
2. Change the ownership of the data directory and everything within it
to the new account, and grant it full control.
3. Change the service log on credentials so the service uses your
domain account.
4. Start the service to see if everything works. Try logging on as
before, create a database, drop some tables, call pg_switch_xlog().
If you can log on at all, just about anything that goes wrong later
indicates missing permissions on the data files.
Now, you have to tell Active Directory that your service account is
running the database. For that, you add a Service Principal Name to your
service account. You can do that with a command line tool named
setspn.exe, of which I cannot remember the command line. You can also
just change the attribute (servicePrincipalName) directly using either
the "Users and Computers" MMC, or whatever 2008R2's replacement for that
is, or ADSIedit. Anyway, your new SPN is
POSTGRES/fully.qualified.host.name
In my experience (which may be incomplete), you also have to make sure
that all your clients use the full host name, because otherwise they may
not get service tickets. Adding a second SPN with just the host name
without the domain may help with that, but using the full name is better
anyway.
The last step is to allow SSPI logon to the database. For that, you need
to create some login roles that have the same name as your domain users,
and an entry in pg_hba.conf with authentication method "sspi". Remember
that only the first entry in pg_hba.conf that matches database, client
address, and claimed user name is used.
--
Christian
--
--
Sent via pgsql-admin mailing list (pgsql-admin <at> postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin
On 06/16/2012 08:36 PM, Christian Ullrich wrote: > * Peter Cheung wrote: > >> I’m new to PostgreSQL. I installed PostgreSQL on a Windows Server >> 2008 >> R2 server. I have created a database and an user in Windows Active >> Directory. How can I configure that user to access that database? > > The one-click installer (assuming you used that) left you with > PostgreSQL running under a local account named "postgres". First, you > have to change that, because SSPI requires that the service uses a > domain account: That's a great explanation. I didn't see anything equivalent in the docs - am I just blind? If not documented anywhere I'd like to add that to the wiki. > > 1. Create a user account in your domain. > 2. Change the ownership of the data directory and everything within it > to the new account, and grant it full control. > 3. Change the service log on credentials so the service uses your > domain account. > 4. Start the service to see if everything works. Try logging on as > before, create a database, drop some tables, call pg_switch_xlog(). > If you can log on at all, just about anything that goes wrong later > indicates missing permissions on the data files. > > Now, you have to tell Active Directory that your service account is > running the database. For that, you add a Service Principal Name to > your service account. You can do that with a command line tool named > setspn.exe, of which I cannot remember the command line. You can also > just change the attribute (servicePrincipalName) directly using either > the "Users and Computers" MMC, or whatever 2008R2's replacement for > that is, or ADSIedit. Anyway, your new SPN is > > POSTGRES/fully.qualified.host.name > > In my experience (which may be incomplete), you also have to make sure > that all your clients use the full host name, because otherwise they > may not get service tickets. Adding a second SPN with just the host > name without the domain may help with that, but using the full name is > better anyway. > > The last step is to allow SSPI logon to the database. For that, you > need to create some login roles that have the same name as your domain > users, and an entry in pg_hba.conf with authentication method "sspi". > Remember that only the first entry in pg_hba.conf that matches > database, client address, and claimed user name is used. > > -- > Christian > > -- -- Sent via pgsql-admin mailing list (pgsql-admin <at> postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-admin
* Craig Ringer wrote: > On 06/16/2012 08:36 PM, Christian Ullrich wrote: >> The one-click installer (assuming you used that) left you with >> PostgreSQL running under a local account named "postgres". First, you >> have to change that, because SSPI requires that the service uses a >> domain account: > > That's a great explanation. I didn't see anything equivalent in the docs > - am I just blind? It's not in the main docs, at least. > If not documented anywhere I'd like to add that to the wiki. Sure, go ahead. -- Christian -- -- Sent via pgsql-admin mailing list (pgsql-admin <at> postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-admin
RSS Feed