Github

LDAP authentication

Andrey Aksenov

Access to a Greengage DB cluster can be controlled using LDAP authentication. You can use your organization’s directory service, such as Active Directory or 389 Directory Server, to authenticate Greengage DB users.

This topic shows how to integrate your Greengage DB cluster with a directory service provided by FreeIPA. The FreeIPA directory service is based on the 389 DS LDAP server.

Prerequisites

The following hosts and IPA domain parameters are used to illustrate the integration of a Greengage DB cluster with a FreeIPA server:

  • Master host: name — mdw.example.com, FQDN — mdw.example.com.

  • FreeIPA host: name — ipa.example.com, FQDN — ipa.example.com, operating system — RHEL or CentOS.

  • Realm: EXAMPLE.COM.

Replace the host names, fully qualified domain names (FQDN), and the realm name to fit your environment.

Set up the FreeIPA server

Log in to the FreeIPA host as a user with superuser privileges:

$ ssh sampleuser@ipa.example.com

In this example, the user name is sampleuser.

Install FreeIPA packages

To install FreeIPA packages, execute the following command:

$ sudo yum install ipa-server

Configure the FreeIPA server

Execute the command below to configure the FreeIPA server non-interactively:

$ sudo ipa-server-install \
  --unattended \
  --hostname=ipa.example.com \
  --domain=example.com \
  --realm=EXAMPLE.COM \
  --ds-password=87654321 \
  --admin-password=12345678
IMPORTANT

It is not recommended to specify passwords as plain text when setting up a FreeIPA server non-interactively. As a safer alternative, you can load passwords from environment variables.

When the FreeIPA server configuration is finished, view the status of services using the ipactl status command:

$ sudo ipactl status

In particular, the output should show that the Directory, krb5kdc, and kadmin services are running:

Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING

Create a FreeIPA user

Authenticate as admin

The admin user is created automatically to perform administrative activities. You need to authenticate as admin by running kinit:

$ kinit admin

When the following prompt is shown, enter the password specified in the admin-password option during the FreeIPA server configuration:

Password for admin@EXAMPLE.COM:

Create a regular user

Create a regular FreeIPA user using the ipa user-add command:

$ ipa user-add alice \
  --first=Alice \
  --last=Johnson \
  --password

Enter the desired password and press Enter when these prompts are shown:

Password:
Enter Password again to verify:

The result should look as follows:

------------------
Added user "alice"
------------------
  User login: alice
  First name: Alice
  Last name: Johnson
  Full name: Alice Johnson
  Display name: Alice Johnson
  Initials: AJ
  Home directory: /home/alice
  GECOS: Alice Johnson
  Login shell: /bin/sh
  Principal name: alice@EXAMPLE.COM
  Principal alias: alice@EXAMPLE.COM
  User password expiration: 20250109101949Z
  Email address: alice@example.com
  UID: 1389000001
  GID: 1389000001
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

Set up the Greengage DB master

To configure the Greengage DB master host, log in to it as gpadmin:

$ ssh gpadmin@mdw.example.com

Create Greengage DB roles

Create the ldap_users Greengage DB role:

$ createuser ldap_users --no-login

Create the alice user and make it a member of the ldap_users group:

$ createuser alice --role=ldap_users

Note that the Greengage DB user name matches the FreeIPA user name.

NOTE

You can use the pg-ldap-sync utility to synchronize LDAP and Greengage DB users and groups automatically.

Configure LDAP authentication

  1. Open the pg_hba.conf file for editing:

    $ vi $MASTER_DATA_DIRECTORY/pg_hba.conf

  2. Add the following line to this file:

    # connection-type  database  user         address  auth-method  auth-options
host               postgres  +ldap_users  samenet  ldap         ldapserver=ipa.example.com ldapprefix="uid=" ldapsuffix=",cn=users,cn=accounts,dc=example,dc=com"

    This configuration lets users from the ldap_users group access the postgres database using LDAP authentication (auth-method is ldap). The related LDAP authentication options are specified in the auth-options field:

    • ldapserver — the name of an LDAP server to connect to.

    • ldapprefix — the string to prepend to a user name when forming the DN to bind as.

    • ldapsuffix — the string to append to a user name when forming the DN to bind as.

    You can find all the available LDAP authentication options in the corresponding topic of the PostgreSQL documentation: LDAP Authentication.

  3. Reload the configuration using gpstop to apply the changes:

    $ gpstop -u

Connect to a database

This section describes connecting to a database protected with LDAP authentication using psql. Perform the steps described below on the master host.

  1. Connect to the default postgres database under the alice role using psql:

    $ psql postgres -U alice -h mdw.example.com

  2. Type the password of the alice FreeIPA user and press Enter:

    Password for user alice:

    The output should look like this:

    psql (9.4.26)
Type "help" for help.

postgres=>

  3. Select the current user name:

    SELECT current_user;

    The command should return the following:

     current_user
---------------
 alice

Examples

The following are additional examples of configuring LDAP authentication in the pg_hba.conf file:

  • ldapbasedn specifies a root DN used to begin the search for a user:

    # connection-type  database  user         address  auth-method  auth-options
host               postgres  +ldap_users  samenet  ldap         ldapserver=ipa.example.com ldapbasedn="cn=users,cn=accounts,dc=example,dc=com"

  • ldapbinddn and ldapbindpasswd are used to bind to the LDAP directory with a fixed user name and password:

    # connection-type  database  user         address  auth-method  auth-options
host               postgres  +ldap_users  samenet  ldap         ldapserver=ipa.example.com ldapbasedn="cn=users,cn=accounts,dc=example,dc=com" ldapbinddn="uid=admin,cn=users,cn=accounts,dc=example,dc=com" ldapbindpasswd="12345678"

  • ldaptls enables TLS encryption for the connection between the Greengage DB master host and the LDAP server:

    # connection-type  database  user         address  auth-method  auth-options
host               postgres  +ldap_users  samenet  ldap         ldaptls=1 ldapserver=ipa.example.com ldapbasedn="cn=users,cn=accounts,dc=example,dc=com"

  • ldapurl specifies all the LDAP authentication options as a URL:

    # connection-type  database  user         address  auth-method  auth-options
host               postgres  +ldap_users  samenet  ldap         ldapurl="ldap://ipa.example.com/cn=users,cn=accounts,dc=example,dc=com?uid?sub"
Previous
FreeIPA
Next
SSL certificate
Open search page