Gorbachev Ivan wrote:
Hi!
Sorry for my English. Can you help me. I try to add PostgreSQL
authentication to IPA.
Server of IPA host name - server.my.domain.local
database PostgreSQL host name - database.my.domain.local
1. pg_hba.conf – add record
host all all 192.168.0.0/24 <http://192.168.0.0/24> gss
2. postgresql.conf add records:
# Kerberos and GSSAPI
krb_server_keyfile = '/var/lib/pgsql/9.2/data/pg.keytab'
krb_srvname = 'postgres' # (Kerberos only)
3. Add PostgreSQL service:
ipa service-add postgres/server.my.domain.local
4. Create keytab:
ipa-getkeytab -s server.my.domain.local -p
postgres/[email protected] -k
/var/lib/pgsql/data/9.2/pg.keytab
5. Change owner:
chown postgres:postgres /var/lib/pgsql/9.2/data/pg.keytab
6. restart PostgreSQL service
7. Try to connect from database host:
psql -h database.my.domain.local
If I try – “psql -h database.my.domain.local” command, I have an error –
“psql: FATAL: role "rembo" does not exist”
If I try –“psql -h database.my.domain.local -U [email protected]
<mailto:[email protected]>” command, I have an error “psql: FATAL:
GSSAPI authentication failed for user [email protected]
<mailto:[email protected]>"
database.my.domain.local host’s authentication method – IPA.
Adam got IPA working with Postgres in OpenStack and wrote a blog post
about it:
http://adam.younglogic.com/2013/05/kerberizing-postgresql-with-freeipa-for-keystone/
The steps aren't directly comparable because he used puppet they look
largely the same to me, but I've never tried to set this up. It may be
helpful for you though.
rob
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
