patternsqlMinor
set Windows authentication for postgres
Viewed 0 times
postgresauthenticationforwindowsset
Problem
I'm trying to set Windows authentication for a postgres server.
The process is not well documented and makes the whole thing, obscure.
I found this doc but it is quite unclear.
In the necessary steps, the doc says that you need to create a domain user. Yet in the screenshot, it says
Once, you've created the domain user and that you set your postgres service with the domain user, you need to create a Service Principle Name to your service account with the following command line in the AD server
Questions are the following
The process is not well documented and makes the whole thing, obscure.
I found this doc but it is quite unclear.
In the necessary steps, the doc says that you need to create a domain user. Yet in the screenshot, it says
DomainServiceAccountOnce, you've created the domain user and that you set your postgres service with the domain user, you need to create a Service Principle Name to your service account with the following command line in the AD server
setspn -S POSTGRES/[fully.qualified.domain.name] DOMAIN\[service_account_name]Questions are the following
- Is
service_account_name=DomaninServiceAccount=Domain user?
- If my first question is correct, that I create a user called
SuperPostgres, I set the service as mentioned in the doc with the userSuperPostgres, that I create a SPN with the command linespnand set the relevant role as mentionned in the doc, is it certain that Postgres will allow an AD user likeAndyKwto connect to the postgres db?
Solution
Yes
Service_account_name = DomaninServiceAccount = Domain user
A service account is actually a domain user, just with some extra settings like "no interactive login" and "password does not expire".
Dunno why they would use "DomaninServiceAccount" too. It's just Service_account_name
Is it certain? Just have to test, but it looks usual for non-Windows applications (Atlassian does the same, and I have other Java apps that have AD authentication too)
Service_account_name = DomaninServiceAccount = Domain user
A service account is actually a domain user, just with some extra settings like "no interactive login" and "password does not expire".
Dunno why they would use "DomaninServiceAccount" too. It's just Service_account_name
Is it certain? Just have to test, but it looks usual for non-Windows applications (Atlassian does the same, and I have other Java apps that have AD authentication too)
Context
StackExchange Database Administrators Q#191499, answer score: 3
Revisions (0)
No revisions yet.