Gorbachev Ivan wrote:
Hi!

Sorry for my English. Can you help me. I try to add PostgreSQL
authentication to IPA.

Server of IPA host name - server.my.domain.local
database PostgreSQL host name - database.my.domain.local

1.    pg_hba.conf – add record

host    all        all 192.168.0.0/24 <http://192.168.0.0/24>        gss

2.    postgresql.conf add records:
# Kerberos and GSSAPI
krb_server_keyfile = '/var/lib/pgsql/9.2/data/pg.keytab'
krb_srvname = 'postgres'        # (Kerberos only)

3.    Add PostgreSQL service:
ipa service-add postgres/server.my.domain.local

4.    Create keytab:
ipa-getkeytab -s server.my.domain.local -p
postgres/database.my.domain.local@MY.DOMAIN.LOCAL  -k
/var/lib/pgsql/data/9.2/pg.keytab

5.    Change owner:
chown postgres:postgres /var/lib/pgsql/9.2/data/pg.keytab

6.   restart PostgreSQL service

7.    Try to connect from database host:
psql -h database.my.domain.local

If I try – “psql -h database.my.domain.local” command, I have an error –
“psql: FATAL:  role "rembo" does not exist”

If I try –“psql -h database.my.domain.local -U rembo@MY.DOMAIN.LOCAL
<mailto:rembo@MY.DOMAIN.LOCAL>” command, I have an error  “psql: FATAL:
GSSAPI authentication failed for user rembo@MY.DOMAIN.LOCAL
<mailto:rembo@MY.DOMAIN.LOCAL>"

database.my.domain.local host’s authentication method – IPA.

Adam got IPA working with Postgres in OpenStack and wrote a blog post about it: http://adam.younglogic.com/2013/05/kerberizing-postgresql-with-freeipa-for-keystone/

The steps aren't directly comparable because he used puppet they look largely the same to me, but I've never tried to set this up. It may be helpful for you though.

rob

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to