On Mon, 30 Sep 2013, Gorbachev Ivan wrote:
I should add the role every time then add ipa users ? For example, i have
one role for PostgreSQL, and after add a new IPA user, i should add mapping
for this new user ? Or it would be made automaticaly ?
This is PostgreSQL-specific question, nothing specific to IPA at all.
Answer to it depends on your model of a database access since PostgreSQL
users are not the same as system users -- you need to map the to each
other. By default mapping is 1:1, i.e. for each system user there should
exist the same user entry in PostgreSQL.
In general, if you have a single database user (or role) and want to
allow multiple system level users to access it, you need to supply user
maps: http://www.postgresql.org/docs/9.2/static/auth-username-maps.html
In Adam's case I guess puppet's recipe automatically sets up PostgreSQL
user named 'keystone' and therefore connection to PostgreSQL with
principal 'keystone' matches it automatically.
On Mon, Sep 30, 2013 at 7:03 PM, Alexander Bokovoy <aboko...@redhat.com>wrote:
On Mon, 30 Sep 2013, Gorbachev Ivan wrote:
Hi!
Sorry for my English. Can you help me. I try to add PostgreSQL
authentication to IPA.
Server of IPA host name - server.my.domain.local
database PostgreSQL host name - database.my.domain.local
1. pg_hba.conf – add record
host all all 192.168.0.0/24 gss
2. postgresql.conf add records:
# Kerberos and GSSAPI
krb_server_keyfile = '/var/lib/pgsql/9.2/data/pg.**keytab'
krb_srvname = 'postgres' # (Kerberos only)
3. Add PostgreSQL service:
ipa service-add postgres/server.my.domain.**local
4. Create keytab:
ipa-getkeytab -s server.my.domain.local -p
postgres/database.my.domain.**local@MY.DOMAIN.LOCAL -k
/var/lib/pgsql/data/9.2/pg.**keytab
5. Change owner:
chown postgres:postgres /var/lib/pgsql/9.2/data/pg.**keytab
6. restart PostgreSQL service
7. Try to connect from database host:
psql -h database.my.domain.local
If I try – “psql -h database.my.domain.local” command, I have an error –
“psql: FATAL: role "rembo" does not exist”
So authentication passes in this case but you don't have proper role
defined. Define a role called 'rembo'.
See
http://www.postgresql.org/**docs/9.2/static/database-**roles.html<http://www.postgresql.org/docs/9.2/static/database-roles.html>
If I try –“ psql -h database.my.domain.local -U rembo@MY.DOMAIN.LOCAL”
command, I have an error “psql: FATAL: GSSAPI authentication failed for
user rembo@MY.DOMAIN.LOCAL"
database.my.domain.local host’s authentication method – IPA.
This is PostgreSQL log:
DEBUG: InitPostgres
DEBUG: my backend ID is 1
DEBUG: StartTransaction
DEBUG: checkpointer updated shared memory configuration values
DEBUG: name: unnamed; blockState: DEFAULT; state: INPROGR,
xid/subid/cid: 0/1/0, nestlvl: 1, children:
DEBUG: CommitTransaction
DEBUG: name: unnamed; blockState: STARTED; state: INPROGR,
xid/subid/cid: 0/1/0, nestlvl: 1, children:
DEBUG: forked new backend, pid=17203 socket=11
DEBUG: postmaster child[17203]: starting with (
DEBUG: postgres
DEBUG: rembo@MY.DOMAIN.LOCAL
DEBUG: )
DEBUG: InitPostgres
DEBUG: my backend ID is 2
DEBUG: StartTransaction
DEBUG: name: unnamed; blockState: DEFAULT; state: INPROGR,
xid/subid/cid: 0/1/0, nestlvl: 1, children:
DEBUG: Processing received GSS token of length 654
DEBUG: gss_accept_sec_context major: 0, minor: 0, outlen: 156, outflags:
1b2
DEBUG: sending GSS response token of length 156
DEBUG: sending GSS token of length 156
LOG: provided user name (rembo@MY.DOMAIN.LOCAL) and authenticated user
name (rembo) do not match
You have this issue because your username and mapped name do not match.
--
/ Alexander Bokovoy
--
With Best Regards
Gorbachev Ivan
--
/ Alexander Bokovoy
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel