Re: Use AD-account as login into Postgres. - Mailing list pgsql-admin

Yes this is a complete windows installation of Postgres and they will use ad-login account into the database 

Mvh Pär

 

---

Från: Holger Jakobs <holger@jakobs.com>
Skickat: fredag, februari 9, 2024 20:05
Till: pgsql-admin@lists.postgresql.org <pgsql-admin@lists.postgresql.org>
Ämne: Re: Use AD-account as login into Postgres.

 

Am 09.02.24 um 19:31 schrieb Pär Mattsson:

Hi!

Is it only to config in hba.conf the connection info,  to use AD-accounts to login in postgres.

This is a windows/postres intallation 🤦‍♂️✌️

Mvh Pär

+46706069645

Hi,

Short answer: No!

SSPI using AD accounts for authentication works only in a complete Windows environment. The client and the server machine have to be member of the same AD environment, which isn't possible for non-Windows machines. Otherwise, there is no trust between the machines.

An automatic creation of PostgreSQL roles from AD accounts has to be done outside PostgreSQL, i. e. by a script running regularly.

A couple of years ago, I wrote such a script for a customer.

Regards,

Holger

If that's the case, create all the necessary roles (groups, users) in PostgreSQL matching entries in pg_hba.conf and mapping entries in pg_ident, so that Windows users can connect to the database without needing to authenticate again.

It's a nice way of providing single sign-on.

Regards,

Holger

-- 
Holger Jakobs, Bergisch Gladbach, Tel. +49-178-9759012

-- 
Holger Jakobs, Bergisch Gladbach, Tel. +49-178-9759012