[Pgday.Seoul 2018] PostgreSQL Authentication with FreeIPA
1 like811 views
[Pgday.Seoul 2018] PostgreSQL Authentication with FreeIPA - 危豈
[Pgday.Seoul 2018] PostgreSQL Authentication with FreeIPA
- 1. FB/lee.hyeongchae PGDay.Seoul 2018 1 PostgreSQL Authentication with FreeIPA
- 2. Agenda About me PostgreSQL Authentication IBMs RHELs IdM FreeIPA DEMO PGDay.Seoul 2018 2
- 3. About me PGDay.Seoul 2018 3 危豈 (覈覺) 蟆觚 Kosslab Tibero Altibase Telcobase Cubrid Inervit
- 6. HA githubs Orchestrator PGDay.Seoul 2018 6
- 7. Scale-out TiDB, VitessDB PGDay.Seoul 2018 7 PingCaps TiDB PingCaps TiDB
- 8. Auth & Security ?! PGDay.Seoul 2018 8 FreeIPA Tadpole DB Hub
- 10. Authentication vs Authorization 語 蟠 PGDay.Seoul 2018 10
- 11. Client Authentication PGDay.Seoul 2018 11 https://paquier.xyz/content/materials/20180531_pgcon_auth.pdf 語 る trust 郁屋 覓伎^蟇 . 覦 PostgreSQL 一危磯伎 覯 郁屋 覈 螳 覈 PostgreSQL 襦 覦 蠍壱 語 襦蠏語誤 蟆 . reject 郁屋 覓伎^蟇 蟇磯. 轟 語ろ碁ゼ 蠏碁9 ' ' . 襯 れ, 譴 reject轟 語ろ瑚 郁屋 蟇磯. ク, れ 譴 轟 ろ 襾語 語ろ瑚 郁屋 . scram-sha-256 SCRAM-SHA-256 語 碁ゼ 誤. md5 SCRAM-SHA-256 MD5 語 碁ゼ 誤. password 企殊伎誤語 語 朱 ろ 碁ゼ 蟲. 碁 ろ語襯 牛 朱 ろ 朱 °覩襦 襤壱 ろ語 讌 襷. gss 語 GSSAPI襯 . 願 TCP / IP 郁屋 蟆曙一襷 給. sspi 語 SSPI襯 . 願 Windows襯 蟆曙一襷 給. ident 企殊伎誤 伎 豌伎 企 企殊伎誤語 ident 覯蟆 覓殊 企螳 蟲 一危磯伎 企螻 殊讌 誤. ident 語 TCP / IP 郁屋襷 給. 襦貉 郁屋 讌伎 蟆曙磯 peer 語 . peer 企殊伎誤 伎 豌伎 企 伎 豌伎 螳語 企 豌 一危磯伎 企螻 殊讌 誤. 願 襦貉 襷 ldap LDAP 覯襯 語. radius RADIUS 覯襯 語. cert SSL 企殊伎誤 語襯 語. pam 伎 豌伎 螻牛 PAM (Pluggable Authentication Modules) 觜るゼ 語. bsd 伎 豌伎 螻給 BSD 語 觜るゼ 語.
- 12. GSSAPI or GSS-API ( Generic Security Services Application Program Interface ) GSSAPI == Keberos API KRB5 API PGDay.Seoul 2018 12
- 13. Keberos 貉る襦(Kerberos) 一(ticket) 蠍磯朱 貉危 ろ語 語 誤 襦貊襦 觜 覲伎 ろ語 旧 碁螳 覲伎 覦朱 るジ 碁 覲 蟆 . 企殊伎誤-覯 覈語 覈朱 螳覦朱 覯螳 襦 覲 語(覦 語) 螻牛. 貉る襦 襦貊 覃讌 豌螻 螻糾鴬 朱覿 覲危碁. 貉る襦る 豺 碁 觜覃 TTP(襤磯 )襯 蟲. , 轟 語 蟲螳 觜豺 覦 伎朱 朱 螻糾 覦 . PGDay.Seoul 2018 13 https://www.ibm.com/support/knowledgecenter/ko/SS7K4U_8.5.5/com.ibm.websphere.zseries.doc/ae/csec _kerb_auth_explain.html#csec_kerb_auth_explain__kerbwhat
- 14. LDAP ( Lightweight Directory Access Protocol ) PGDay.Seoul 2018 14
- 15. LDAP ( Lightweight Directory Access Protocol ) https://dzone.com/articles/introduction-to-kerberos-for-managers PGDay.Seoul 2018 15 Authentication Flow Authorization Flow
- 16. PAM ( Pluggable Authentication Modules ) PGDay.Seoul 2018 16
- 17. IBMs RHELs IdM FreeIPA PGDay.Seoul 2018 17
- 18. FreeIPA ( I + P + T or A ) PGDay.Seoul 2018 18 Manage Linux users and client hosts in your realm from one central locatio n with CLI, Web UI or RPC access. Enable Single Sign On authentication fo r all your systems, services and applications. Identify Define Kerberos authentication and authorization policies for your identities . Control services like DNS, SUDO, SELinux or autofs.Policy Create mutual trust with other Identity Management systems like Microsoft Active Directory. Audit : http://scribery.github.io Trusts ?!
- 19. RHELs IdM or IPA ?! PGDay.Seoul 2018 19 https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/index
- 20. FreeIPA PGDay.Seoul 2018 20 Dogtag Cert Keberos BIND NTP LDAP 389 DS SSSD (pam,sshd,sudo)
- 22. FreeIPA Web UI PGDay.Seoul 2018 22
- 23. OAuth2, SAML, PGDay.Seoul 2018 23
- 25. SSO ( Single Sign-On ) PGDay.Seoul 2018 25 FreeIPA
- 34. PostgreSQL $ vim postgesql.conf krb_server_keyfile = '/var/lib/pgsql/data/krb5.keytab' krb_srvname = 'postgres $ vim pg_hba.conf # TYPE DATABASE USER CIDR-ADDRESS METHOD host all all 0.0.0.0/0 gss include_realm=0 krb_realm=EXAMPLE.COM PGDay.Seoul 2018 34
- 35. PostgreSQL ssh 1st change password $ kinit myuser $ createuser myuser $ psql U myuser PGDay.Seoul 2018 35