Right now I have the following, which works:
host all all all ldap ldapserver=ldap.server.name ldapprefix="DOMAIN\"
but to my understanding the connection between the ldap server and pg db isn't encrypted and I need it to be. So i change to:
host all all all ldap ldapserver=ldap.server.name ldapprefix="DOMAIN\" ldaptls=1
this give me an error saying "could not start ldap tls session connect error".
What are the steps that Im missing in order to get this working? I have a feeling I need to be dropping certs either somewhere on my ldap instance or pg instance (or both) but I don't really have any experience configuring any of this.
If you are looking to use ldaptls=1, then please make sure that you are using the correct certs to connect to the LDAP server. Also, depending on how LDAP is set up, you may need to add ldapport=389 to tell Postgres to use the TLS port on the LDAP side.
More information at https://richyen.com/postgres/2018/02/09/making_postgres_talk_to_ldap_with_starttls.html
Related
I have a postgresql 11 instance that need to share with the client, it's ok to let the client do whatever they want except the accounts.
if the client modifies the pg_hba.conf, they can connect without password, is there any way to disable pg_hba, making it no way to connect without password?
PS: the client has the host access
I can't seem to connect to Cloud SQL with Workbench. I keep getting this error.
Failed to Connect to MySQL at CLOUD-SQL-IPv4:3306 with user root
Access denied for use 'root'#'WHITE-LISTED-IP-ADDRESS' (using password: YES)
I have white listed my IP.
I have set an IP for the SQL instance.
I have checked the username and Password several times.
Any idea why this is happening?
It seems you have to create a new user in the Google Cloud Console with the host name set to %(any host). You can't seem to connect using the root user.
Is it possible to connect with the #root user but after you finish the setup you have to restart the sql server.
What is important to set up an SSL certificate if you connect to you production database, but if you only try it out you can allow unsecured connection. Another important thing is to add your IP to the Authorised Networks in the Connection tab.
I have two databases set up as part of the same Postgresql 9.4 database cluster, and I'm trying to access a table in one of them from the other using a postgres_fdw. I have it all set up and working as a superuser, however when I try to access the foreign table as a normal user, I get the following error:
ERROR: password is required
DETAIL: Non-superuser cannot connect if the server does not request a password.
HINT: Target server's authentication method must be changed.
Now I understand that this is because I have the server set up with trust authentication for certain subnets, including Its own. However, in the 1 USER MAPPING I created, I did specify a password, with the hope that doing so would force it to use password authentication. No such luck apparently.
As such, my question is if there is any way around this somewhat onerous requirement? Is there a way to force this connection, or a specific user, or the like to use password authentication? Or some way to disable the requirement? Or is my only option to change the configuration to require passwords, and deal with whatever that breaks?
As Nick Barnes pointed out in a comment, pg_hba allows different authentication rules for specific users. As such, the solution to this issue was to simply create a user specifically for these FDW connections, and set that user in the pg_hba.conf to require a password. That way my trusted web apps on the trusted network can continue connecting as usual, but the FDW can get the password request it requires.
You can't force FDW to use a password: the server on the other end must request the password. the usual default for local socket connections is no password.
Try connecting via TCP instead of using local sockets: add host=localhost to the connection parameters, that will usually fix it.
Please, any help will be appreciated, i have an OpenERP installed with all its components (Postgres, Web server, Server) in a VPS..
And I would like to use this PostgreSQL from my local machine trough pgAdmin3. I am still not able to do so.
I read some answers about this issue, by modifing Configuration Files in Postgresql and some others telling me to use SSH Tunilling trough Putty, but when i go to connect trough PGADMIN3 i can't have a successfuull connection
So , Please if any one could Give me in details What i have to do, to make this happen successfully,
First you need to ask yourself a bunch of questions. The answer to this isn't really that simple which is why it hasn't been answered. These involve risk management questions that happen when you set up your db for access across the internet. You really want to start by reading the administration and authentication sections of the PostgreSQL docs. You may want to do an SSH tunnel or just require SSL.
Personally I would configure PostgreSQL to require SSL if you are going to do that. Set up an entry of type hostssl in the pg_hba.conf for the host that will be connecting to it. Set up firewall rules to allow connections from that host. Ideally set up a client cert but not quite sure how to make OpenERP use that.
Then configure OpenERP. I don't know which version you are running but these docs may get you started.
I am trying to setup PostgreSQL and allow only certain Windows users to access the data from the database. Setting up Windows Authentication is Quite easy with MS SQL, but I can't figure out how to set it up in PostgreSQL.
I have gone through the documentation at http://www.postgresql.org/docs/current/static/auth-methods.html
and edited the pg_hba file. But after doing so, the PostgreSQL service fails to start.
Is the Postgresql server running on Windows as well as the clients then you might test with this to see if this works:
host all all 0.0.0.0/0 sspi
Magnus Hagander, a Postgresql developer, elaborates on this:
"All users connecting from the local machine, your domain, or a trusted domain will be automatically authenticated using the SSPI configured authentication (you can enable/disable things like NTLMv2 or LM using Group Policy - it's a Windows configuration, not a PostgreSQL one). You still need to create the login role in PostgreSQL, but that's it. Note that the domain is not verified at all, only the username. So the user Administrator in your primary and a trusted domain will be considered the same user if they try to connect to PostgreSQL. Note that this method is not compatible with Unix clients."
If you mix Unix-Windows then you have to resort to kerberos using GSSAPI which means you have to do some configuration. This article on deploying Pg in Windows environments may perhaps lead you in the right path.
If anyone else encouters this like I did so starting from 9.5 you wil need to add an optional parameter both to the ipv4 and ipv6 in order for this to work
include_realm=0
so the whole thing will look like
host all your_username 127.0.0.1/32 sspi include_realm=0