Deploying PostgreSQL in a Windows Enterprise

1

Deploying PostgreSQL in a Windows Enterprise

Magnus [email protected]

PGCon 2008

Ottawa, CanadaMay 2008

2

Agenda

DefinitionInstallationActive Directory

Authentication - integratedAuthentication - LDAPData access

Monitoring

3

What is a Windows Enterprise?

Servers Clients

4


Servers Clients

WE

B

5


Servers Clients

Active

Dire

ctory

6


Servers Clients

Active

Dire

ctory

7

Agenda



Monitoring

8

MSI installerIntegrates with existing productsInstalls all dependenciesCreate account, sets permissionsSupports silent installServer only, Server+client, Client only

Installation

9

”xcopy deployment”No registry entries required!

Well, there's ODBC...

binaries-no-installer.zipDependencies, account, permissionsCustom build

Installation

10

Agenda



Monitoring

11

Active Directory authentication

”Integrated authentication”Already logged in, why do it again?

Fat clientsWeb apps usually uses password to db

Very common for SQL Server/AccessStill need to create db user!

12


Client interface dependentlibpq or ”built on libpq”ODBCJDBCnpgsql

13


Windows-to-windows trivial

host all all 0.0.0.0/0 sspi

Set your AD policies!Always included

14


Windows-to-unix a bit more workKerberos only

15

Kerberos 101

Cross platform, standards-based, secure, distributed authentication

Shared secrets between hostsMaintained and controlled by KDCTrusted ticketsSingle sign-on

16

Kerberos 101

2. Ticket-granting-ticket (TGT)

1. Login request

KDC

Server

Client

17

Kerberos 101

6. Ticket POSTGRES@FOO

5. Ticket request POSTGRES@FOO

7. Access request w ticket3. Access request

4. Requires Kerberos ticket

KDC

Server

Client

18

Kerberos 101

6. Ticket POSTGRES@FOO

5. Ticket request POSTGRES@FOO

7. Access request w ticket3. Access request

4. Requires Kerberos ticket

KDC

Server

Client

19


Windows-to-unix a bit more workKerberos only, requires service principals

AD enforces non-standard name

Basic Kerberos first! /etc/krb5.conf

[libdefaults] default_realm = DOMAIN.COM [domain_realm] domain.com = DOMAIN.COM .domain.com = DOMAIN.COM

20


Verify with kinit/klistkinit [email protected]

21


Install required build packages./configure --with-gssapiBuild + install as usualInitdb as usual

22


Create service principal (ordinary user)

23


Create Kerberos principal mappnig ktpass

-princ POSTGRES/[email protected] -crypto DES-CBC-MD5 -mapuser lab83 -pass FooBar991 -out postgres.keytab

24


Verify account is mapped

25


postgresql.conf

listen_addresses = '*'krb_server_keyfile = '/var/pgsql/data/postgres.keytab'krb_srvname = 'POSTGRES'

pg_hba.conf

host all all 0.0.0.0/0 gss

26


Client side principal nameEnvironment: PGKRBSRVNAMEConnection string: krbsrvname

Needed on both Windows and Unix

27


Client side principal nameEnvironment: PGKRBSRVNAMEConnection string: krbsrvname

Needed on both Windows and Unix

28

LDAP Authentication

For clients that don't support GSS/SSPIIf you actually want passwordsLooks like password prompt to clientpg_hba.conf

host all all 0.0.0.0/0 ldap ”ldap://dc.domain.com/dc=domain,dc=com;DOMAIN\”

29

Agenda



Monitoring

30

Access AD data

dblink-ldap (pgfoundry)Build from source onlyCreate VIEWs of LDAP dataRead-only

31

Access AD data

CREATE VIEW users AS

SELECT * FROM dblink_ldap( 'dc.domain.com', 'CN=Users, DC=domain, DC=com', E'DOMAIN\\User', 'password', '(objectClass=user)', 'distinguishedName,cn,displayName')

t(dn, cn, displayName)

33

Agenda



Monitoring

34

Monitoring

Performance Monitor for system parameters

pgsnmpd (unix only)pg_stat_xyz views

35

Future directions

schannel encryptionschannel certificate authenticationBetter monitoring support

pgsnmpd on windows ornative performance monitor plugin

36

Thank you!

Questions?

Deploying PostgreSQL in a Windows Enterprise

Documents

Transcript of Deploying PostgreSQL in a Windows Enterprise