[GENERAL] pg_ident mapping Kerberos Usernames
От | techmail+pgsql@dangertoaster.com |
---|---|
Тема | [GENERAL] pg_ident mapping Kerberos Usernames |
Дата | |
Msg-id | 449baa21-a624-512c-56c3-556dba214b11@dangertoaster.com обсуждение исходный текст |
Ответы |
Re: [GENERAL] pg_ident mapping Kerberos Usernames
(rob stone <floriparob@gmail.com>)
Re: [GENERAL] pg_ident mapping Kerberos Usernames (Magnus Hagander <magnus@hagander.net>) |
Список | pgsql-general |
Hi, I'm trying to get pg_ident to map "user1" and "user1@A.DOMAIN.TLD" to "user1" in postgres, or vice versa. I'm not picky about which way works. Kerberos authentication works. I've gotten "user1" to login successfully with a Kerberos ticket, but I'm not able to get "user1@A.DOMAIN.TLD" to match. Environment: * PostgreSQL 9.6 from PostgreSQL repos * CentOS 7 * FreeIPA for Kerberos, LDAP, etc. * Realm A.DOMAIN.TLD * "user1" database exists * "user1" role exists * Logging into CentOS usernames are configured to drop the domain, so they appear as "user1" rather then "user1@a.domain.tld". pg_hba.conf: local all postgres peer host all all 127.0.0.1/32 md5 host all all ::1/128 md5 host all all 192.168.1.0/24 gss include_realm=1 map=testnet krb_realm=A.DOMAIN.TLD #This is on one line. Thunderbird is truncating lines. pg_ident.conf: testnet /^([0-9A-Za-z_-]+)@A\.DOMAIN\.TLD$ \1 testnet /^([0-9A-Za-z_-]+)$ \1 Regex that works for both in regexr.com: /^([0-9A-Za-z-_]+)(@A\.DOMAIN\.TLD)?$/gm Command and lines from pg_log: $ psql -h db0 # Logged in as user1 with Kerberos ticket < 2017-09-09 19:50:49.376 CDT - 192.168.1.201 [unknown] > LOG: connection received: host=192.168.1.201 port=44918 < 2017-09-09 19:50:49.398 CDT - 192.168.1.201 user1 > LOG: connection authorized: user=user1 database=user1 < 2017-09-09 19:50:50.912 CDT - 192.168.1.201 user1 > LOG: disconnection: session time: 0:00:01.537 user=user1 database=user1 host=192.168.1.201 port=44918 $ psql -h db0 -U user1@A.DOMAIN.TLD # Logged in as user1 with Kerberos ticket < 2017-09-09 19:50:54.959 CDT - 192.168.1.201 [unknown] > LOG: connection received: host=192.168.1.201 port=44920 < 2017-09-09 19:50:55.023 CDT - 192.168.1.201 user1@A.DOMAIN.TLD > LOG: no match in usermap "testnet" for user "user1@A.DOMAIN.TLD" authenticated as "user1@A.DOMAIN.TLD" < 2017-09-09 19:50:55.023 CDT - 192.168.1.201 user1@A.DOMAIN.TLD > FATAL: GSSAPI authentication failed for user "user1@A.DOMAIN.TLD" < 2017-09-09 19:50:55.023 CDT - 192.168.1.201 user1@A.DOMAIN.TLD > DETAIL: Connection matched pg_hba.conf line 87: "host all all 192.168.1.0/24 gss include_realm=1 map=testnet krb_realm=A.DOMAIN.TLD" Is this something that is possible, or is it something where I need to pick one way to do it? Thanks in advance, Ryan -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
В списке pgsql-general по дате отправления:
Предыдущее
От: Dave PeticolasДата:
Сообщение: [GENERAL] Analyzing performance regression from 9.2 to 9.6