The Kerberos and LDAP authentication

Kerberos is a protocol for authentication service requests between trusted hosts across an untrusted network. Kerberos manages credentials (authentication), while LDAP holds authoritative information about user accounts and their access rights (authorization).

We create a secure connection between two hosts (OS — CentOS):

  • 10.92.6.36, adpg-host, adpg-host.domain.local;

  • 10.92.6.201, freeipa-host, freeipa-host.domain.local.

ADPG is installed on adpg-host.

Install the FreeIPA server

We use Docker CE to deploy the FreeIPA server on freeipa-host. Follow the steps below to install FreeIPA.

  1. Execute the command below to add host names and their IP addresses to the hosts file:

    sudo tee -a /etc/hosts > /dev/null <<EOT
    10.92.6.36  adpg-host.domain.local adpg-host
    10.92.6.201 freeipa-host.domain.local freeipa-host
    EOT
  2. Use the hostnamectl tool to set the hostname:

    sudo hostnamectl set-hostname freeipa-host.domain.local
  3. Execute the following commands to disable SELinux:

    sudo setenforce 0
    sudo sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
    sudo reboot
  4. Install Docker CE:

    sudo -i
    yum remove docker \
                   docker-client \
                   docker-client-latest \
                   docker-common \
                   docker-latest \
                   docker-latest-logrotate \
                   docker-logrotate \
                   docker-engine
    yum install -y yum-utils
    yum-config-manager \
        --add-repo \
        https://download.docker.com/linux/centos/docker-ce.repo
    yum install docker-ce docker-ce-cli containerd.io docker-compose-plugin
    systemctl start docker
    systemctl enable docker
  5. Create the ipa-data directory for the FreeIPA configuration files, specify FreeIPA installation options, and write them to the ipa-server-install-options file:

    mkdir /var/lib/ipa-data
    tee -a /var/lib/ipa-data/ipa-server-install-options > /dev/null <<EOT
    --realm=DOMAIN.LOCAL
    --ds-password=freeipaDSpass
    --admin-password=freeipaADMINpass
    EOT
  6. Install the FreeIPA server:

    docker run -ti -h freeipa-host.domain.local --read-only \
        -v /sys/fs/cgroup:/sys/fs/cgroup:ro \
        --name freeipa \
        --network host \
        -v /var/lib/ipa-data:/data:Z -v /etc/hosts:/etc/hosts \
        -e PASSWORD=Password123 \
        freeipa/freeipa-server:centos-7 ipa-server-install -U -r DOMAIN.LOCAL --no-ntp

Install the FreeIPA client

Install the FreeIPA client on adpg-host.

  1. Add host names and their IP addresses to the hosts file:

    sudo tee -a /etc/hosts > /dev/null <<EOT
    10.92.6.36  adpg-host.domain.local adpg-host
    10.92.6.201 freeipa-host.domain.local freeipa-host
    EOT
  2. Use the hostnamectl tool to set the hostname:

    sudo hostnamectl set-hostname adpg-host.domain.local
  3. Execute the following commands to disable SELinux:

    sudo setenforce 0
    sudo sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
    sudo reboot
  4. Install the FreeIPA client:

    sudo -i
    
    yum install freeipa-client
  5. Utilize the ipa-client-install command to configure adpg-host to use IPA:

    ipa-client-install --mkhomedir --domain=domain.local --server=adpg-host.domain.local

    The terminal displays the following notification:

    Autodiscovery of servers for failover cannot work with this configuration.
    If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
    Proceed with fixed values and no DNS discovery? [no]:

    Type yes to continue with fixed values. The fixed values are displayed:

    Client hostname: adpg-host.domain.local
    Realm: DOMAIN.LOCAL
    DNS Domain: domain.local
    IPA Server: freeipa-host.domain.local
    BaseDN: dc=domain,dc=local
    
    Continue to configure the system with these values? [no]:

    Type yes to confirm the settings.

    Specify admin as the authorized user:

    User authorized to enroll computers: admin

    Enter the password that is passed as the PASSWORD parameter of the docker run command (in our example — Password123).

  6. Use the kinit command to obtain a new Kerberos ticket. Execute the klist command to check if a Kerberos ticket is created:

    kinit admin
    klist
  7. Add a user and set their password:

    ipa user-add pguser --first=pguser --last=PG --password

    The result:

    -------------------
    Added user "pguser"
    -------------------
      User login: pguser
      First name: pguser
      Last name: PG
      Full name: pguser PG
      Display name: pguser PG
      Initials: pP
      Home directory: /home/pguser
      GECOS: pguser PG
      Login shell: /bin/sh
      Principal name: pguser@DOMAIN.LOCAL
      Principal alias: pguser@DOMAIN.LOCAL
      User password expiration: 20220804150601Z
      Email address: pguser@domain.local
      UID: 1391600001
      GID: 1391600001
      Password: True
      Member of groups: ipausers
      Kerberos keys available: True
  8. Services require Service Principal Name (SPN) to perform Kerberos authentication. Register the postgres service to obtain SPN:

    ipa service-add postgres/adpg-host.domain.local@DOMAIN.LOCAL --force

    The result:

    ---------------------------------------------------------------
    Added service "postgres/adpg-host.domain.local@DOMAIN.LOCAL"
    ---------------------------------------------------------------
      Principal name: postgres/adpg-host.domain.local@DOMAIN.LOCAL
      Principal alias: postgres/adpg-host.domain.local@DOMAIN.LOCAL
      Managed by: adpg-host.domain.local

Configure ADPG for Kerberos

Create a keytab on adpg-host :

ipa-getkeytab --principal=postgres/adpg-host.domain.local@DOMAIN.LOCAL --keytab=/etc/krb5.keytab

Use the chown command to change the owner and the group of the krb5.keytab file:

chown postgres:postgres /etc/krb5.keytab

Utilize ADCM to change the ADPG configuration settings. Open CLUSTERS → ADPG cluster → Services → ADPG → Configuration and set listen_addresses to *.

Enable the Advanced checkbox and add the following line to the postgresql.conf custom section:

krb_server_keyfile = '/etc/krb5.keytab'

Add the following line to the PG_HBA section:

host all pguser 0.0.0.0/0 gss  include_realm=0 krb_realm=DOMAIN.LOCAL

Click the Save button and execute the Reconfigure & Restart action to apply changes.

Create a user on adpg-host:

sudo su - postgres
psql -c "CREATE USER pguser"

Test the GSSAPI-encrypted connection:

kinit pguser
psql -h adpg-host.domain.local -U pguser postgres

The result:

psql (14.3)
GSSAPI-encrypted connection
Type "help" for help.

postgres=#

Install the openldap-clients package

The openldap-clients package contains command line tools to view and modify directories on an LDAP server. Install openldap-clients on adpg-host:

yum install openldap-clients -y

Execute the klist command to check if a current system user obtains a Kerberos ticket with IPA administrative privilege. If not, run the command kinit admin:

klist
kinit admin

Add a user:

ipa user-add pgldap --first=pgldap --last=PG --password

Test the connection:

ldapsearch -x -h freeipa-host.domain.local  -b dc=domain,dc=local uid=pgldap

Configure ADPG to use LDAP

Create the pgldap user:

sudo su - postgres
psql -c "CREATE USER pgldap"

Add the following line to the PG_HBA section:

host all pgldap 0.0.0.0/0 ldap  ldapserver=freeipa-host.domain.local ldapbasedn="cn=users,cn=compat,dc=domain,dc=local" ldapsearchattribute=uid

Click the Save button and execute the Reconfigure & Reload action to apply changes.

Test the GSSAPI-encrypted connection:

kinit pgldap
psql -h adpg-host.domain.local -U pgldap postgres

The result:

psql (14.3)
GSSAPI-encrypted connection
Type "help" for help.

postgres=#
Found a mistake? Seleсt text and press Ctrl+Enter to report it