[Freeipa-devel] PostgreSQL + freeipa

Gorbachev Ivan gim.spb at gmail.com
Mon Sep 30 14:26:02 UTC 2013 

I know about this article, and i made it like He. But, i can't connect to
PostgreSQL =(((

On Mon, Sep 30, 2013 at 6:21 PM, Rob Crittenden <rcritten at redhat.com> wrote:

> Gorbachev Ivan wrote:
>
>> Hi!
>>
>> Sorry for my English. Can you help me. I try to add PostgreSQL
>> authentication to IPA.
>>
>> Server of IPA host name - server.my.domain.local
>> database PostgreSQL host name - database.my.domain.local
>>
>> 1.    pg_hba.conf – add record
>>
>> host    all        all 192.168.0.0/24 <http://192.168.0.0/24>        gss
>>
>>
>> 2.    postgresql.conf add records:
>> # Kerberos and GSSAPI
>> krb_server_keyfile = '/var/lib/pgsql/9.2/data/pg.**keytab'
>> krb_srvname = 'postgres'        # (Kerberos only)
>>
>> 3.    Add PostgreSQL service:
>> ipa service-add postgres/server.my.domain.**local
>>
>> 4.    Create keytab:
>> ipa-getkeytab -s server.my.domain.local -p
>> postgres/database.my.domain.**local at MY.DOMAIN.LOCAL  -k
>> /var/lib/pgsql/data/9.2/pg.**keytab
>>
>> 5.    Change owner:
>> chown postgres:postgres /var/lib/pgsql/9.2/data/pg.**keytab
>>
>> 6.   restart PostgreSQL service
>>
>> 7.    Try to connect from database host:
>> psql -h database.my.domain.local
>>
>> If I try – “psql -h database.my.domain.local” command, I have an error –
>> “psql: FATAL:  role "rembo" does not exist”
>>
>> If I try –“psql -h database.my.domain.local -U rembo at MY.DOMAIN.LOCAL
>> <mailto:rembo at MY.DOMAIN.LOCAL>**” command, I have an error  “psql: FATAL:
>>
>> GSSAPI authentication failed for user rembo at MY.DOMAIN.LOCAL
>> <mailto:rembo at MY.DOMAIN.LOCAL>**"
>>
>>
>> database.my.domain.local host’s authentication method – IPA.
>>
>
> Adam got IPA working with Postgres in OpenStack and wrote a blog post
> about it: http://adam.younglogic.com/**2013/05/kerberizing-**
> postgresql-with-freeipa-for-**keystone/<http://adam.younglogic.com/2013/05/kerberizing-postgresql-with-freeipa-for-keystone/>
>
> The steps aren't directly comparable because he used puppet they look
> largely the same to me, but I've never tried to set this up. It may be
> helpful for you though.
>
> rob
>



-- 
With Best Regards
Gorbachev Ivan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130930/b87fea5e/attachment.htm>

More information about the Freeipa-devel mailing list