Deploying PostgreSQL in a Windows Enterprise

Magnus Hagandermagnus@hagander.net

PGCon 2008

Ottawa, CanadaMay 2008

Agenda

DefinitionInstallationActive Directory

Authentication - integratedAuthentication - LDAPData access

Monitoring

What is a Windows Enterprise?

Servers Clients

Active

Servers Clients

Active

Agenda

Monitoring

MSI installerIntegrates with existing productsInstalls all dependenciesCreate account, sets permissionsSupports silent installServer only, Server+client, Client only

Installation

”xcopy deployment”No registry entries required!

Well, there's ODBC...

binaries-no-installer.zipDependencies, account, permissionsCustom build

Installation

Agenda

Monitoring

Active Directory authentication

”Integrated authentication”Already logged in, why do it again?

Fat clientsWeb apps usually uses password to db

Very common for SQL Server/AccessStill need to create db user!

Client interface dependentlibpq or ”built on libpq”ODBCJDBCnpgsql

Windows-to-windows trivial

host all all 0.0.0.0/0 sspi

Set your AD policies!Always included

Windows-to-unix a bit more workKerberos only

Kerberos 101

Cross platform, standards-based, secure, distributed authentication

Shared secrets between hostsMaintained and controlled by KDCTrusted ticketsSingle sign-on

Kerberos 101

2. Ticket-granting-ticket (TGT)

1. Login request

Server

Client

Kerberos 101

6. Ticket POSTGRES@FOO

5. Ticket request POSTGRES@FOO

7. Access request w ticket3. Access request

4. Requires Kerberos ticket

Server

Client

Kerberos 101

6. Ticket POSTGRES@FOO

5. Ticket request POSTGRES@FOO

7. Access request w ticket3. Access request

4. Requires Kerberos ticket

Server

Client

Windows-to-unix a bit more workKerberos only, requires service principals

AD enforces non-standard name

Basic Kerberos first! /etc/krb5.conf

[libdefaults] default_realm = DOMAIN.COM [domain_realm] domain.com = DOMAIN.COM .domain.com = DOMAIN.COM

Verify with kinit/klistkinit administrator@DOMAIN.COM

Install required build packages./configure --with-gssapiBuild + install as usualInitdb as usual

Create service principal (ordinary user)

Create Kerberos principal mappnig ktpass

-princ POSTGRES/lab83.domain.com@DOMAIN.COM -crypto DES-CBC-MD5 -mapuser lab83 -pass FooBar991 -out postgres.keytab

Verify account is mapped

postgresql.conf

listen_addresses = '*'krb_server_keyfile = '/var/pgsql/data/postgres.keytab'krb_srvname = 'POSTGRES'

pg_hba.conf

host all all 0.0.0.0/0 gss

Client side principal nameEnvironment: PGKRBSRVNAMEConnection string: krbsrvname

Needed on both Windows and Unix

Client side principal nameEnvironment: PGKRBSRVNAMEConnection string: krbsrvname

Needed on both Windows and Unix

LDAP Authentication

For clients that don't support GSS/SSPIIf you actually want passwordsLooks like password prompt to clientpg_hba.conf

host all all 0.0.0.0/0 ldap ”ldap://dc.domain.com/dc=domain,dc=com;DOMAIN\”

Agenda

Monitoring

Access AD data

dblink-ldap (pgfoundry)Build from source onlyCreate VIEWs of LDAP dataRead-only

Access AD data

CREATE VIEW users AS

SELECT * FROM dblink_ldap( 'dc.domain.com', 'CN=Users, DC=domain, DC=com', E'DOMAIN\\User', 'password', '(objectClass=user)', 'distinguishedName,cn,displayName')

t(dn, cn, displayName)

Access AD data

postgres=# SELECT * FROM users;

dn | cn | displayname

-----------------------------------------------------------------------------

CN=mha,CN=Users,DC=domain,DC=com | mha | Magnus Hagander

CN=Administrator,CN=Users,DC=domain,DC=com | Administrator | Admin

(2 rows)

Agenda

Monitoring

Performance Monitor for system parameters

pgsnmpd (unix only)pg_stat_xyz views

Future directions

schannel encryptionschannel certificate authenticationBetter monitoring support

pgsnmpd on windows ornative performance monitor plugin

Thank you!

Questions?

Deploying PostgreSQL in a Windows Enterprise

Documents

Transcript of Deploying PostgreSQL in a Windows Enterprise

Deploying Windows phones with the Windows Mobile 6.5 operating

Deploying applications to Windows Server 2016 and Windows Containers

Instalacion de PostgreSQL en Windows 7

PostgreSQL on Windows - hagander.net · 1 PostgreSQL on Windows Magnus Hagander magnus@hagander.net PostgreSQL Global Development Group

Deploying Windows Azure Pack for Windows Server€¦ · Deploying Windows Azure Pack for Windows Server Microsoft Corporation Published date: October 29, 2013

Developing and Deploying Windows 10 Apps

Deploying Windows Mobile solutions

Dean Suzuki Blog Title: Deploying AD into Windows Azure ... · 02/06/2014 · ... Deploying AD into Windows Azure with No Corporate Connectivity ... Guidelines for Deploying Windows

Premiers pas avec PostgreSQL · Lancez l'installeur (pour Postgresql 9.1, le fichier s'appelle : postgresql-9.1.2-1-windows.exe ou postgresql-9.1.2-1-windows-x64.exe pour les architectures

Deploying Windows Azure Pack for Windows Serverdownload.microsoft.com/download/4/1/D/41D52159-2... · Deploying Windows Azure Pack for Windows ... and Node.js web applications. ...

Deploying Windows 7

CPTER 1hA Deploying and updating Windows Server 2012spots.augusta.edu/tschultz/resources/ebooks/Admin... · CPTER 1hA. Deploying and updating . Windows ... Deploying and updating

Deploying Windows 7 using Microsoft Deployment Tool · PDF file17.07.2012 · Deploying Windows 7 using ... Deploying Win7 Using MDT 2012 Test Lab Guide Last ... Deploying Windows

Deploying Windows Vista Service Pack 1

Respaldo y Recuperaci n en PostgreSQL Para Windows

Deploying Maximum HA Architecture With PostgreSQL

Installing PostgreSQL/PostGIS and QGIS in Windows environment

Deploying PostgreSQL in a Windows Enterprise - … PostgreSQL in a Windows... · 1 Deploying PostgreSQL in a Windows Enterprise Magnus Hagander magnus@hagander.net PGCon 2008 Ottawa,

Advanced PostgreSQL on Windows - Magnus Hagander PostgreSQL on Windows.pdf · 3 Why PostgreSQL on Windows Isn’t Linux better? Often, but not always Several scenarios Developer laptops

Deploying OVN on Windows with OpenStack and …...Deploying OVN on Windows with OpenStack and Kubernetes + + + + +