If you can't read please download the document
Upload
dangnhan
View
247
Download
0
Embed Size (px)
Citation preview
1
Deploying PostgreSQL in a Windows Enterprise
Magnus [email protected]
PGCon 2008
Ottawa, CanadaMay 2008
2
AgendaDefinitionInstallationActive Directory
Authentication - integratedAuthentication - LDAPData access
Monitoring
3
What is a Windows Enterprise?Servers Clients
4
What is a Windows Enterprise?Servers Clients
WEB
5
What is a Windows Enterprise?Servers Clients
Active Directory
6
What is a Windows Enterprise?Servers Clients
Active Directory
7
AgendaDefinitionInstallationActive Directory
Authentication - integratedAuthentication - LDAPData access
Monitoring
8
MSI installerIntegrates with existing productsInstalls all dependenciesCreate account, sets permissionsSupports silent installServer only, Server+client, Client only
Installation
9
xcopy deploymentNo registry entries required!
Well, there's ODBC...binaries-no-installer.zipDependencies, account, permissionsCustom build
Installation
10
AgendaDefinitionInstallationActive Directory
Authentication - integratedAuthentication - LDAPData access
Monitoring
11
Active Directory authenticationIntegrated authentication
Already logged in, why do it again?Fat clients
Web apps usually uses password to dbVery common for SQL Server/AccessStill need to create db user!
12
Active Directory authenticationClient interface dependentlibpq or built on libpqODBCJDBCnpgsql
13
Active Directory authenticationWindows-to-windows trivial
host all all 0.0.0.0/0 sspi
Set your AD policies!Always included
14
Active Directory authenticationWindows-to-unix a bit more workKerberos only
15
Kerberos 101Cross platform, standards-based, secure,
distributed authenticationShared secrets between hostsMaintained and controlled by KDCTrusted ticketsSingle sign-on
16
Kerberos 101
2. Ticket-granting-ticket (TGT)
1. Login request
KDC
Server
Client
17
Kerberos 101
6. Ticket POSTGRES@FOO
5. Ticket request POSTGRES@FOO
7. Acces
s reques
t w ticke
t3. Access
request
4. Requi
res Kerbe
ros ticke
t
KDC
Server
Client
18
Kerberos 101
6. Ticket POSTGRES@FOO
5. Ticket request POSTGRES@FOO
7. Acces
s reques
t w ticke
t3. Access
request
4. Requi
res Kerbe
ros ticke
t
KDC
Server
Client
19
Active Directory authenticationWindows-to-unix a bit more workKerberos only, requires service principals
AD enforces non-standard nameBasic Kerberos first!
/etc/krb5.conf [libdefaults] default_realm = DOMAIN.COM [domain_realm] domain.com = DOMAIN.COM .domain.com = DOMAIN.COM
20
Active Directory authenticationVerify with kinit/klist
kinit [email protected]
21
Active Directory authenticationInstall required build packages./configure --with-gssapiBuild + install as usualInitdb as usual
22
Active Directory authenticationCreate service principal (ordinary user)
23
Active Directory authenticationCreate Kerberos principal mappnig ktpass
-princ POSTGRES/[email protected] -crypto DES-CBC-MD5 -mapuser lab83 -pass FooBar991 -out postgres.keytab
24
Active Directory authenticationVerify account is mapped
25
Active Directory authenticationpostgresql.conf
listen_addresses = '*'krb_server_keyfile = '/var/pgsql/data/postgres.keytab'krb_srvname = 'POSTGRES'
pg_hba.conf
host all all 0.0.0.0/0 gss
26
Active Directory authenticationClient side principal name
Environment: PGKRBSRVNAMEConnection string: krbsrvname
Needed on both Windows and Unix
27
Active Directory authenticationClient side principal name
Environment: PGKRBSRVNAMEConnection string: krbsrvname
Needed on both Windows and Unix
28
LDAP AuthenticationFor clients that don't support GSS/SSPIIf you actually want passwordsLooks like password prompt to clientpg_hba.conf
host all all 0.0.0.0/0 ldap ldap://dc.domain.com/dc=domain,dc=com;DOMAIN\
29
AgendaDefinitionInstallationActive Directory
Authentication - integratedAuthentication - LDAPData access
Monitoring
30
Access AD datadblink-ldap (pgfoundry)Build from source onlyCreate VIEWs of LDAP dataRead-only
31
Access AD dataCREATE VIEW users ASSELECT * FROM dblink_ldap( 'dc.domain.com', 'CN=Users, DC=domain, DC=com', E'DOMAIN\\User', 'password', '(objectClass=user)', 'distinguishedName,cn,displayName')t(dn, cn, displayName)
32
Access AD data
postgres=# SELECT * FROM users; dn | cn | displayname -----------------------------------------------------------------------------CN=mha,CN=Users,DC=domain,DC=com | mha | Magnus HaganderCN=Administrator,CN=Users,DC=domain,DC=com | Administrator | Admin(2 rows)
33
AgendaDefinitionInstallationActive Directory
Authentication - integratedAuthentication - LDAPData access
Monitoring
34
MonitoringPerformance Monitor for system
parameterspgsnmpd (unix only)pg_stat_xyz views
35
Future directionsschannel encryptionschannel certificate authenticationBetter monitoring support
pgsnmpd on windows ornative performance monitor plugin
36
Thank you!
Questions?
Slide 1Slide 2Why?Slide 4Slide 5Slide 6Slide 7Slide8Slide 9Slide 10Slide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide 17Slide 18Slide 19Slide 20Slide 21Slide 22Slide 23Slide 24Slide 25Slide 26Slide 27Slide 28Slide 29Slide 30Slide 31Slide 32Slide 33Slide 34Slide 35Thank you!