[Freeipa-devel] PostgreSQL + freeipa

Alexander Bokovoy abokovoy at redhat.com
Mon Sep 30 15:58:52 UTC 2013 

On Mon, 30 Sep 2013, Gorbachev Ivan wrote:
>I should add the role every time then add ipa users ? For example, i have
>one role for PostgreSQL, and after add a new IPA user, i should add mapping
>for this new user ? Or it would be made automaticaly ?
This is PostgreSQL-specific question, nothing specific to IPA at all.
Answer to it depends on your model of a database access since PostgreSQL
users are not the same as system users -- you need to map the to each
other. By default mapping is 1:1, i.e. for each system user there should
exist the same user entry in PostgreSQL.

In general, if you have a single database user (or role) and want to
allow multiple system level users to access it, you need to supply user
maps: http://www.postgresql.org/docs/9.2/static/auth-username-maps.html

In Adam's case I guess puppet's recipe automatically sets up PostgreSQL
user named 'keystone' and therefore connection to PostgreSQL with
principal 'keystone' matches it automatically.

>
>On Mon, Sep 30, 2013 at 7:03 PM, Alexander Bokovoy <abokovoy at redhat.com>wrote:
>
>> On Mon, 30 Sep 2013, Gorbachev Ivan wrote:
>>
>>> Hi!
>>>
>>> Sorry for my English. Can you help me. I try to add PostgreSQL
>>> authentication to IPA.
>>>
>>> Server of IPA host name - server.my.domain.local
>>> database PostgreSQL host name - database.my.domain.local
>>>
>>> 1.    pg_hba.conf – add record
>>>
>>> host    all        all        192.168.0.0/24        gss
>>>
>>> 2.    postgresql.conf add records:
>>> # Kerberos and GSSAPI
>>> krb_server_keyfile = '/var/lib/pgsql/9.2/data/pg.**keytab'
>>> krb_srvname = 'postgres'        # (Kerberos only)
>>>
>>> 3.    Add PostgreSQL service:
>>> ipa service-add postgres/server.my.domain.**local
>>>
>>> 4.    Create keytab:
>>> ipa-getkeytab -s server.my.domain.local -p
>>> postgres/database.my.domain.**local at MY.DOMAIN.LOCAL  -k
>>> /var/lib/pgsql/data/9.2/pg.**keytab
>>>
>>> 5.    Change owner:
>>> chown postgres:postgres /var/lib/pgsql/9.2/data/pg.**keytab
>>>
>>> 6.   restart PostgreSQL service
>>>
>>> 7.    Try to connect from database host:
>>> psql -h database.my.domain.local
>>>
>>> If I try – “psql -h database.my.domain.local” command, I have an error –
>>> “psql: FATAL:  role "rembo" does not exist”
>>>
>> So authentication passes in this case but you don't have proper role
>> defined. Define a role called 'rembo'.
>>
>> See http://www.postgresql.org/**docs/9.2/static/database-**roles.html<http://www.postgresql.org/docs/9.2/static/database-roles.html>
>>
>>
>>
>>> If I try –“ psql -h database.my.domain.local -U rembo at MY.DOMAIN.LOCAL>>> command, I have an error  “psql: FATAL:  GSSAPI authentication failed for
>>> user rembo at MY.DOMAIN.LOCAL"
>>>
>>> database.my.domain.local host’s authentication method – IPA.
>>>
>>> This is PostgreSQL log:
>>> DEBUG:  InitPostgres
>>> DEBUG:  my backend ID is 1
>>> DEBUG:  StartTransaction
>>> DEBUG:  checkpointer updated shared memory configuration values
>>> DEBUG:  name: unnamed; blockState:       DEFAULT; state: INPROGR,
>>> xid/subid/cid: 0/1/0, nestlvl: 1, children:
>>> DEBUG:  CommitTransaction
>>> DEBUG:  name: unnamed; blockState:       STARTED; state: INPROGR,
>>> xid/subid/cid: 0/1/0, nestlvl: 1, children:
>>> DEBUG:  forked new backend, pid=17203 socket=11
>>> DEBUG:  postmaster child[17203]: starting with (
>>> DEBUG:    postgres
>>> DEBUG:    rembo at MY.DOMAIN.LOCAL
>>> DEBUG:  )
>>> DEBUG:  InitPostgres
>>> DEBUG:  my backend ID is 2
>>> DEBUG:  StartTransaction
>>> DEBUG:  name: unnamed; blockState:       DEFAULT; state: INPROGR,
>>> xid/subid/cid: 0/1/0, nestlvl: 1, children:
>>> DEBUG:  Processing received GSS token of length 654
>>> DEBUG:  gss_accept_sec_context major: 0, minor: 0, outlen: 156, outflags:
>>> 1b2
>>> DEBUG:  sending GSS response token of length 156
>>> DEBUG:  sending GSS token of length 156
>>> LOG:  provided user name (rembo at MY.DOMAIN.LOCAL) and authenticated user
>>> name (rembo) do not match
>>>
>> You have this issue because your username and mapped name do not match.
>>
>>
>> --
>> / Alexander Bokovoy
>>
>
>
>
>-- 
>With Best Regards
>Gorbachev Ivan



-- 
/ Alexander Bokovoy

More information about the Freeipa-devel mailing list