1

Deploying PostgreSQL in a Windows Enterprise

Magnus Hagandermagnus@hagander.net

PGCon 2008

Ottawa, CanadaMay 2008

2

AgendaDefinitionInstallationActive Directory

Authentication - integratedAuthentication - LDAPData access

Monitoring

3

What is a Windows Enterprise?Servers Clients

4

What is a Windows Enterprise?Servers Clients

WEB

5

What is a Windows Enterprise?Servers Clients

Active Directory

6

What is a Windows Enterprise?Servers Clients

Active Directory

7

AgendaDefinitionInstallationActive Directory

Authentication - integratedAuthentication - LDAPData access

Monitoring

8

MSI installerIntegrates with existing productsInstalls all dependenciesCreate account, sets permissionsSupports silent installServer only, Server+client, Client only

Installation

9

xcopy deploymentNo registry entries required!

Well, there's ODBC...binaries-no-installer.zipDependencies, account, permissionsCustom build

Installation

10

AgendaDefinitionInstallationActive Directory

Authentication - integratedAuthentication - LDAPData access

Monitoring

11

Active Directory authenticationIntegrated authentication

Already logged in, why do it again?Fat clients

Web apps usually uses password to dbVery common for SQL Server/AccessStill need to create db user!

12

Active Directory authenticationClient interface dependentlibpq or built on libpqODBCJDBCnpgsql

13

Active Directory authenticationWindows-to-windows trivial

host all all 0.0.0.0/0 sspi

Set your AD policies!Always included

14

Active Directory authenticationWindows-to-unix a bit more workKerberos only

15

Kerberos 101Cross platform, standards-based, secure,

distributed authenticationShared secrets between hostsMaintained and controlled by KDCTrusted ticketsSingle sign-on

16

Kerberos 101

2. Ticket-granting-ticket (TGT)

1. Login request

KDC

Server

Client

17

Kerberos 101

6. Ticket POSTGRES@FOO

5. Ticket request POSTGRES@FOO

7. Acces

s reques

t w ticke

t3. Access

request

4. Requi

res Kerbe

ros ticke

t

KDC

Server

Client

18

Kerberos 101

6. Ticket POSTGRES@FOO

5. Ticket request POSTGRES@FOO

7. Acces

s reques

t w ticke

t3. Access

request

4. Requi

res Kerbe

ros ticke

t

KDC

Server

Client

19

Active Directory authenticationWindows-to-unix a bit more workKerberos only, requires service principals

AD enforces non-standard nameBasic Kerberos first!

/etc/krb5.conf [libdefaults] default_realm = DOMAIN.COM [domain_realm] domain.com = DOMAIN.COM .domain.com = DOMAIN.COM

20

Active Directory authenticationVerify with kinit/klist

kinit administrator@DOMAIN.COM

21

Active Directory authenticationInstall required build packages./configure --with-gssapiBuild + install as usualInitdb as usual

22

Active Directory authenticationCreate service principal (ordinary user)

23

Active Directory authenticationCreate Kerberos principal mappnig ktpass

-princ POSTGRES/lab83.domain.com@DOMAIN.COM -crypto DES-CBC-MD5 -mapuser lab83 -pass FooBar991 -out postgres.keytab

24

Active Directory authenticationVerify account is mapped

25

Active Directory authenticationpostgresql.conf

listen_addresses = '*'krb_server_keyfile = '/var/pgsql/data/postgres.keytab'krb_srvname = 'POSTGRES'

pg_hba.conf

host all all 0.0.0.0/0 gss

26

Active Directory authenticationClient side principal name

Environment: PGKRBSRVNAMEConnection string: krbsrvname

Needed on both Windows and Unix

27

Active Directory authenticationClient side principal name

Environment: PGKRBSRVNAMEConnection string: krbsrvname

Needed on both Windows and Unix

28

LDAP AuthenticationFor clients that don't support GSS/SSPIIf you actually want passwordsLooks like password prompt to clientpg_hba.conf

host all all 0.0.0.0/0 ldap ldap://dc.domain.com/dc=domain,dc=com;DOMAIN\

29

AgendaDefinitionInstallationActive Directory

Authentication - integratedAuthentication - LDAPData access

Monitoring

30

Access AD datadblink-ldap (pgfoundry)Build from source onlyCreate VIEWs of LDAP dataRead-only

31

Access AD dataCREATE VIEW users ASSELECT * FROM dblink_ldap( 'dc.domain.com', 'CN=Users, DC=domain, DC=com', E'DOMAIN\\User', 'password', '(objectClass=user)', 'distinguishedName,cn,displayName')t(dn, cn, displayName)

32

Access AD data

postgres=# SELECT * FROM users; dn | cn | displayname -----------------------------------------------------------------------------CN=mha,CN=Users,DC=domain,DC=com | mha | Magnus HaganderCN=Administrator,CN=Users,DC=domain,DC=com | Administrator | Admin(2 rows)

33

AgendaDefinitionInstallationActive Directory

Authentication - integratedAuthentication - LDAPData access

Monitoring

34

MonitoringPerformance Monitor for system

parameterspgsnmpd (unix only)pg_stat_xyz views

35

Future directionsschannel encryptionschannel certificate authenticationBetter monitoring support

pgsnmpd on windows ornative performance monitor plugin

36

Thank you!

Questions?

Slide 1Slide 2Why?Slide 4Slide 5Slide 6Slide 7Slide8Slide 9Slide 10Slide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide 17Slide 18Slide 19Slide 20Slide 21Slide 22Slide 23Slide 24Slide 25Slide 26Slide 27Slide 28Slide 29Slide 30Slide 31Slide 32Slide 33Slide 34Slide 35Thank you!