https://access.redhat.com/solutions/674323
SOLUTION 已验证 - 已更新 2014年一月13日23:33 -
环境
- Red Hat Enterprise Linux 6
- IPA/IdM
- Postgresql Server
问题
- How to configure Postgresql server to authenticate against IPA/IdM?
决议
- Edit
/var/lib/pgsql/data/pg_hba.conf
to enable GSSPI authentication.
host all all 10.10.10.0/24 gss
- Edit
/var/lib/pgsql/data/postgresql.conf
to add GSSAPI configuration settings.
krb_server_keyfile = '/var/lib/pgsql/data/pg.keytab'
krb_srvname = 'postgres' # (Kerberos only)
host all all 10.10.10.0/24 krb5
- Add a service in IPA Server
# ipa service-add postgres/`hostname`
-------------------------------------------------------------------------------
Added service "postgres/psgsql.example.com@EXAMPLE.COM"
-------------------------------------------------------------------------------
Principal: postgres/psgsql.example.com@EXAMPLE.COM
Managed by: psgsql.example.com
- Extract keytab created for Postgresql server.
# ipa-getkeytab -s `hostname` -p postgres/`hostname`@EXAMPLE.COM -k /var/lib/pgsql/data/pg.keytab
Keytab successfully retrieved and stored in: /var/lib/pgsql/data/pg.keytab
- Check if keytab is fine & secure it
# klist -kt pg.keytab
Keytab name: FILE:pg.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
1 12/11/13 17:58:12 postgres/psgsql.example.com@EXAMPLE.COM
1 12/11/13 17:58:12 postgres/psgsql.example.com@EXAMPLE.COM
1 12/11/13 17:58:12 postgres/psgsql.example.com@EXAMPLE.COM
1 12/11/13 17:58:12 postgres/psgsql.example.com@EXAMPLE.COM
# chown postgres:postgres pg.keytab
Now try to login with IPA user credentials in postgresql.