The Kerberos and LDAP authentication
Kerberos is a protocol for authentication service requests between trusted hosts across an untrusted network. Kerberos manages credentials (authentication), while LDAP holds authoritative information about user accounts and their access rights (authorization).
We create a secure connection between two hosts (OS — CentOS):
-
10.92.6.36, adpg-host, adpg-host.domain.local;
-
10.92.6.201, freeipa-host, freeipa-host.domain.local.
ADPG is installed on adpg-host.
Install the FreeIPA server
We use Docker CE to deploy the FreeIPA server on freeipa-host. Follow the steps below to install FreeIPA.
-
Execute the command below to add host names and their IP addresses to the hosts file:
sudo tee -a /etc/hosts > /dev/null <<EOT 10.92.6.36 adpg-host.domain.local adpg-host 10.92.6.201 freeipa-host.domain.local freeipa-host EOT
-
Use the hostnamectl tool to set the hostname:
sudo hostnamectl set-hostname freeipa-host.domain.local
-
Execute the following commands to disable SELinux:
sudo setenforce 0 sudo sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config sudo reboot
-
Install Docker CE:
sudo -i yum remove docker \ docker-client \ docker-client-latest \ docker-common \ docker-latest \ docker-latest-logrotate \ docker-logrotate \ docker-engine yum install -y yum-utils yum-config-manager \ --add-repo \ https://download.docker.com/linux/centos/docker-ce.repo yum install docker-ce docker-ce-cli containerd.io docker-compose-plugin systemctl start docker systemctl enable docker
-
Create the ipa-data directory for the FreeIPA configuration files, specify FreeIPA installation options, and write them to the ipa-server-install-options file:
mkdir /var/lib/ipa-data tee -a /var/lib/ipa-data/ipa-server-install-options > /dev/null <<EOT --realm=DOMAIN.LOCAL --ds-password=freeipaDSpass --admin-password=freeipaADMINpass EOT
-
Install the FreeIPA server:
docker run -ti -h freeipa-host.domain.local --read-only \ -v /sys/fs/cgroup:/sys/fs/cgroup:ro \ --name freeipa \ --network host \ -v /var/lib/ipa-data:/data:Z -v /etc/hosts:/etc/hosts \ -e PASSWORD=Password123 \ freeipa/freeipa-server:centos-7 ipa-server-install -U -r DOMAIN.LOCAL --no-ntp
Install the FreeIPA client
Install the FreeIPA client on adpg-host.
-
Add host names and their IP addresses to the hosts file:
sudo tee -a /etc/hosts > /dev/null <<EOT 10.92.6.36 adpg-host.domain.local adpg-host 10.92.6.201 freeipa-host.domain.local freeipa-host EOT
-
Use the hostnamectl tool to set the hostname:
sudo hostnamectl set-hostname adpg-host.domain.local
-
Execute the following commands to disable SELinux:
sudo setenforce 0 sudo sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config sudo reboot
-
Install the FreeIPA client:
sudo -i yum install freeipa-client
-
Utilize the ipa-client-install command to configure adpg-host to use IPA:
ipa-client-install --mkhomedir --domain=domain.local --server=adpg-host.domain.local
The terminal displays the following notification:
Autodiscovery of servers for failover cannot work with this configuration. If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure. Proceed with fixed values and no DNS discovery? [no]:
Type
yes
to continue with fixed values. The fixed values are displayed:Client hostname: adpg-host.domain.local Realm: DOMAIN.LOCAL DNS Domain: domain.local IPA Server: freeipa-host.domain.local BaseDN: dc=domain,dc=local Continue to configure the system with these values? [no]:
Type
yes
to confirm the settings.Specify
admin
as the authorized user:User authorized to enroll computers: admin
Enter the password that is passed as the
PASSWORD
parameter of thedocker run
command (in our example —Password123
). -
Use the
kinit
command to obtain a new Kerberos ticket. Execute theklist
command to check if a Kerberos ticket is created:kinit admin klist
-
Add a user and set their password:
ipa user-add pguser --first=pguser --last=PG --password
The result:
------------------- Added user "pguser" ------------------- User login: pguser First name: pguser Last name: PG Full name: pguser PG Display name: pguser PG Initials: pP Home directory: /home/pguser GECOS: pguser PG Login shell: /bin/sh Principal name: pguser@DOMAIN.LOCAL Principal alias: pguser@DOMAIN.LOCAL User password expiration: 20220804150601Z Email address: pguser@domain.local UID: 1391600001 GID: 1391600001 Password: True Member of groups: ipausers Kerberos keys available: True
-
Services require Service Principal Name (SPN) to perform Kerberos authentication. Register the postgres service to obtain SPN:
ipa service-add postgres/adpg-host.domain.local@DOMAIN.LOCAL --force
The result:
--------------------------------------------------------------- Added service "postgres/adpg-host.domain.local@DOMAIN.LOCAL" --------------------------------------------------------------- Principal name: postgres/adpg-host.domain.local@DOMAIN.LOCAL Principal alias: postgres/adpg-host.domain.local@DOMAIN.LOCAL Managed by: adpg-host.domain.local
Configure ADPG for Kerberos
Create a keytab on adpg-host :
ipa-getkeytab --principal=postgres/adpg-host.domain.local@DOMAIN.LOCAL --keytab=/etc/krb5.keytab
Use the chown command to change the owner and the group of the krb5.keytab file:
chown postgres:postgres /etc/krb5.keytab
Utilize ADCM to change the ADPG configuration settings. Open Clusters → ADPG cluster → Services → ADPG → Primary configuration and set listen_addresses to *
.
Add the following line to the postgresql.conf custom section:
krb_server_keyfile = '/etc/krb5.keytab'
Add the following line to the PG_HBA section:
host all pguser 0.0.0.0/0 gss include_realm=0 krb_realm=DOMAIN.LOCAL
Click the Save button and execute the Reconfigure & Restart action to apply changes.
Create a user on adpg-host:
sudo su - postgres
psql -c "CREATE USER pguser"
Test the GSSAPI-encrypted connection:
kinit pguser
psql -h adpg-host.domain.local -U pguser postgres
The result:
psql (14.3) GSSAPI-encrypted connection Type "help" for help. postgres=#
Install the openldap-clients package
The openldap-clients package contains command line tools to view and modify directories on an LDAP server. Install openldap-clients on adpg-host:
yum install openldap-clients -y
Execute the klist
command to check if a current system user obtains a Kerberos ticket with IPA administrative privilege. If not, run the command kinit admin
:
klist
kinit admin
Add a user:
ipa user-add pgldap --first=pgldap --last=PG --password
Test the connection:
ldapsearch -x -h freeipa-host.domain.local -b dc=domain,dc=local uid=pgldap
Configure ADPG to use LDAP
Create the pgldap
user:
sudo su - postgres
psql -c "CREATE USER pgldap"
Add the following line to the PG_HBA section:
host all pgldap 0.0.0.0/0 ldap ldapserver=freeipa-host.domain.local ldapbasedn="cn=users,cn=compat,dc=domain,dc=local" ldapsearchattribute=uid
Click the Save button and execute the Reconfigure & Reload action to apply changes.
Test the GSSAPI-encrypted connection:
kinit pgldap
psql -h adpg-host.domain.local -U pgldap postgres
The result:
psql (14.3) GSSAPI-encrypted connection Type "help" for help. postgres=#