deploying postgresql in a windows enterprise - … postgresql in a windows... · 1 deploying...
TRANSCRIPT
-
1
Deploying PostgreSQL in a Windows Enterprise
Magnus [email protected]
PGCon 2008
Ottawa, CanadaMay 2008
-
2
AgendaDefinitionInstallationActive Directory
Authentication - integratedAuthentication - LDAPData access
Monitoring
-
3
What is a Windows Enterprise?Servers Clients
-
4
What is a Windows Enterprise?Servers Clients
WEB
-
5
What is a Windows Enterprise?Servers Clients
Active Directory
-
6
What is a Windows Enterprise?Servers Clients
Active Directory
-
7
AgendaDefinitionInstallationActive Directory
Authentication - integratedAuthentication - LDAPData access
Monitoring
-
8
MSI installerIntegrates with existing productsInstalls all dependenciesCreate account, sets permissionsSupports silent installServer only, Server+client, Client only
Installation
-
9
xcopy deploymentNo registry entries required!
Well, there's ODBC...binaries-no-installer.zipDependencies, account, permissionsCustom build
Installation
-
10
AgendaDefinitionInstallationActive Directory
Authentication - integratedAuthentication - LDAPData access
Monitoring
-
11
Active Directory authenticationIntegrated authentication
Already logged in, why do it again?Fat clients
Web apps usually uses password to dbVery common for SQL Server/AccessStill need to create db user!
-
12
Active Directory authenticationClient interface dependentlibpq or built on libpqODBCJDBCnpgsql
-
13
Active Directory authenticationWindows-to-windows trivial
host all all 0.0.0.0/0 sspi
Set your AD policies!Always included
-
14
Active Directory authenticationWindows-to-unix a bit more workKerberos only
-
15
Kerberos 101Cross platform, standards-based, secure,
distributed authenticationShared secrets between hostsMaintained and controlled by KDCTrusted ticketsSingle sign-on
-
16
Kerberos 101
2. Ticket-granting-ticket (TGT)
1. Login request
KDC
Server
Client
-
17
Kerberos 101
6. Ticket POSTGRES@FOO
5. Ticket request POSTGRES@FOO
7. Acces
s reques
t w ticke
t3. Access
request
4. Requi
res Kerbe
ros ticke
t
KDC
Server
Client
-
18
Kerberos 101
6. Ticket POSTGRES@FOO
5. Ticket request POSTGRES@FOO
7. Acces
s reques
t w ticke
t3. Access
request
4. Requi
res Kerbe
ros ticke
t
KDC
Server
Client
-
19
Active Directory authenticationWindows-to-unix a bit more workKerberos only, requires service principals
AD enforces non-standard nameBasic Kerberos first!
/etc/krb5.conf [libdefaults] default_realm = DOMAIN.COM [domain_realm] domain.com = DOMAIN.COM .domain.com = DOMAIN.COM
-
20
Active Directory authenticationVerify with kinit/klist
kinit [email protected]
-
21
Active Directory authenticationInstall required build packages./configure --with-gssapiBuild + install as usualInitdb as usual
-
22
Active Directory authenticationCreate service principal (ordinary user)
-
23
Active Directory authenticationCreate Kerberos principal mappnig ktpass
-princ POSTGRES/[email protected] -crypto DES-CBC-MD5 -mapuser lab83 -pass FooBar991 -out postgres.keytab
-
24
Active Directory authenticationVerify account is mapped
-
25
Active Directory authenticationpostgresql.conf
listen_addresses = '*'krb_server_keyfile = '/var/pgsql/data/postgres.keytab'krb_srvname = 'POSTGRES'
pg_hba.conf
host all all 0.0.0.0/0 gss
-
26
Active Directory authenticationClient side principal name
Environment: PGKRBSRVNAMEConnection string: krbsrvname
Needed on both Windows and Unix
-
27
Active Directory authenticationClient side principal name
Environment: PGKRBSRVNAMEConnection string: krbsrvname
Needed on both Windows and Unix
-
28
LDAP AuthenticationFor clients that don't support GSS/SSPIIf you actually want passwordsLooks like password prompt to clientpg_hba.conf
host all all 0.0.0.0/0 ldap ldap://dc.domain.com/dc=domain,dc=com;DOMAIN\
-
29
AgendaDefinitionInstallationActive Directory
Authentication - integratedAuthentication - LDAPData access
Monitoring
-
30
Access AD datadblink-ldap (pgfoundry)Build from source onlyCreate VIEWs of LDAP dataRead-only
-
31
Access AD dataCREATE VIEW users ASSELECT * FROM dblink_ldap( 'dc.domain.com', 'CN=Users, DC=domain, DC=com', E'DOMAIN\\User', 'password', '(objectClass=user)', 'distinguishedName,cn,displayName')t(dn, cn, displayName)
-
32
Access AD data
postgres=# SELECT * FROM users; dn | cn | displayname -----------------------------------------------------------------------------CN=mha,CN=Users,DC=domain,DC=com | mha | Magnus HaganderCN=Administrator,CN=Users,DC=domain,DC=com | Administrator | Admin(2 rows)
-
33
AgendaDefinitionInstallationActive Directory
Authentication - integratedAuthentication - LDAPData access
Monitoring
-
34
MonitoringPerformance Monitor for system
parameterspgsnmpd (unix only)pg_stat_xyz views
-
35
Future directionsschannel encryptionschannel certificate authenticationBetter monitoring support
pgsnmpd on windows ornative performance monitor plugin
-
36
Thank you!
Questions?
Slide 1Slide 2Why?Slide 4Slide 5Slide 6Slide 7Slide8Slide 9Slide 10Slide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide 17Slide 18Slide 19Slide 20Slide 21Slide 22Slide 23Slide 24Slide 25Slide 26Slide 27Slide 28Slide 29Slide 30Slide 31Slide 32Slide 33Slide 34Slide 35Thank you!