How to configure Postgresql server to authenticate against IPA/IdM?-优快云博客

本文介绍如何在Red Hat Enterprise Linux 6中配置PostgreSQL服务器使用IPA/IdM进行身份验证。通过编辑pg_hba.conf和postgresql.conf文件启用GSSPI认证，添加服务到IPA服务器并提取keytab，确保PostgreSQL服务器与IPA/IdM的无缝集成。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

https://access.redhat.com/solutions/674323

SOLUTION 已验证 - 已更新 2014年一月13日23:33 -

English

环境

Red Hat Enterprise Linux 6
IPA/IdM
Postgresql Server

问题

How to configure Postgresql server to authenticate against IPA/IdM?

决议

Edit /var/lib/pgsql/data/pg_hba.conf to enable GSSPI authentication.

Raw

host    all     all 10.10.10.0/24       gss

Edit /var/lib/pgsql/data/postgresql.conf to add GSSAPI configuration settings.

Raw

krb_server_keyfile = '/var/lib/pgsql/data/pg.keytab'
krb_srvname = 'postgres'                # (Kerberos only)
host    all     all     10.10.10.0/24  krb5

Add a service in IPA Server

Raw

# ipa service-add postgres/`hostname`
-------------------------------------------------------------------------------
Added service "postgres/psgsql.example.com@EXAMPLE.COM"
-------------------------------------------------------------------------------
  Principal: postgres/psgsql.example.com@EXAMPLE.COM
  Managed by: psgsql.example.com

Extract keytab created for Postgresql server.

Raw

# ipa-getkeytab -s `hostname` -p postgres/`hostname`@EXAMPLE.COM -k /var/lib/pgsql/data/pg.keytab
Keytab successfully retrieved and stored in: /var/lib/pgsql/data/pg.keytab

Check if keytab is fine & secure it

Raw

# klist -kt pg.keytab 
Keytab name: FILE:pg.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   1 12/11/13 17:58:12 postgres/psgsql.example.com@EXAMPLE.COM
   1 12/11/13 17:58:12 postgres/psgsql.example.com@EXAMPLE.COM
   1 12/11/13 17:58:12 postgres/psgsql.example.com@EXAMPLE.COM
   1 12/11/13 17:58:12 postgres/psgsql.example.com@EXAMPLE.COM
# chown postgres:postgres pg.keytab

Now try to login with IPA user credentials in postgresql.