When attempting to connect to our Postgres instance using Flyway, I get GSS Authentication failed connection error:
Unable to obtain Jdbc connection from DataSource
(
jdbc:postgresql://host/database?
kerberosServerName=postgres&
jaasApplicationName=pgjdbc
)
for user 'username#domain.com': GSS Authentication failed
My Postgres instance is using gss authentication with MIT Kerberos to authenticate with my Active Directory using an uppercase domain name (realm), but on Postgres we are using lowercase domains due to how pg-ldap-sync tool creates users.
I am able to connect just fine using psql and a lowercase domain name:
psql -h postgres.domain.com -U username#domain.com
However, when I attempt to run Flyway with the same credentials, I receive a GSS Authentication failed due to me not providing the correct domain casing matching the realm.
From the look of it, the JDBC driver Flyway is using, when using GSS, can only send the authentication user over, so if the database user doesn't match there is no way to map it. Since there is no ability to send the database user separately through the JDBC driver it falls back to the authentication user and the map fails.
How can I provide a different Postgres user than the principal used for Kerberos authentication? Similar to what I can do with psql.
My JAAS Configuration:
pgjdbc
{
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
useTicketCache=true
debug=true
client=true;
};
Related
I'm trying to get authentication working using kerberos in Windows instead of username and password when connecting to PostgreSQL. Very new to this area and would appreciate any thoughts. In essence what I want to achieve is not having the password in the app configuration. Maybe there are other options apart from using kerberos?
Will the following work?
configure Postgres for SSPI authentication
create a user in Postgres with the same user name as the SPN of the user in the AD
pre-create kerberos authentication tickets (somehow magically) for the created user
connect to postgres using psql with the above user without providing the password
If this is at all possible I'm interested in how to achieve that magical part above ^^^
Thanks.
I have a sonarqube instance running in a Kubernetes cluster, connected to postgres rds database. I'm trying to reset the admin password after Keycloak realm change disabled OIDC authentication and now I cannot log in to the instance. Running version 8.9.7.52159 CE, I followed the docs (https://docs.sonarqube.org/8.9/instance-administration/security/) and reset the password via sql query.
I checked the admin user in the database and user has been updated, But when attempting to login via admin username and admin password I get error authentication failed.
Checking logs of pod I can see following errors after realm change:
Caused by: com.nimbusds.oauth2.sdk.GeneralException: The returned issuer doesn't match the expected: https:/keycloak-realm-url
WARN [o.s.s.a.AuthenticationError] Fail to initialize authentication with provider 'oidc'
I can't login to the instance to modify security settings/realm etc. Any ideas why the password reset for admin user isn't working and how can I resolve. Thanks
I have a user with role rds_iam so IAM DB Auth is required for the user to connect to my Aurora PostgreSQL server (server A). Which works as expected. I have added a role to Server B that has permissions to rds-db:connect to server A. Now I need to update FDW to connect to server A using the IAM-enabled user.
I don't understand what is suppose to be used for password for the following command:
CREATE USER MAPPING IF NOT EXISTS FOR <current user> SERVER <server name>
OPTIONS (USER <username>, PASSWORD <password>);"
Currently, I am getting the following error:
[08001] ERROR: could not connect to server "XXXXXX" Detail: FATAL: PAM authentication failed for user "user-xxxxx"
I suspect because passsword was actually a token that I generated when setting up the user. But tokens expire afte 15 minutes. So how do setup an IAM-user with FDW?
Unless Amazon hacks postgres_fdw to add this capability, I think you would need to write some code that does ALTER USER MAPPING every 15 minutes, or give up on using IAM for this.
Any way to get Proxy User authentication done in PostgreSql?
As from Oracles
https://oracle-base.com/articles/misc/proxy-users-and-connect-through#proxy-user-and-connect-through
So I am trying to setup authentication on MongoDB instance. This is the first time doing this. I currently have an instance running off of localhost with no authentication. I have created users with admin rights as well as two users with readwrite rights. I have tried to log in to the httpinterface using these users but it doesn't let me in. Also, I am trying to create a connection from another server to this database instance but it does not allow me to. If i login to the server through SSH and authenticate on the mongo shell it works fine and returns 1. Any thoughts or suggestions?
I get the following error from the Mongo Connection:
array(2) { ["ok"]=> int(0) ["errmsg"]=> string(130) "Failed to connect to: IP:PORT: Authentication failed on database 'DB' with username 'User': auth failed" }
This user was just created and has readWrite rights and I know the password is correct.