I am working on Kerberos authentication and need help in jaas.conf file
I have below section in jaas.conf
SQLJDBCDriver {
com.sun.security.auth.module.Krb5LoginModule required
principal =
keyTab =
}
I need one more SQLJDBCDriver section for another keytab and another principal
But when I add another section, the first and second both sections don't work.
Please help?
I ran into similar issue where I try to set up multiple principals to different db instances.
You can specify multiple sections/principals in jaas.conf,
SQLJDBCDriver_1 {
com.sun.security.auth.module.Krb5LoginModule required
principal =
keyTab =
}
SQLJDBCDriver_2 {
com.sun.security.auth.module.Krb5LoginModule required
principal =
keyTab =
}
With the latest SQL JDBC driver, you can specify section name, for example:
jdbc:sqldriver://...;jaasConfigurationName=SQLJDBCDriver_1;
I also documented the findings in https://github.com/Microsoft/mssql-jdbc/issues/828
Related
Is there a way to create or access an existing Azure AD Group using Azure Bicep. The scenario is that I want to create an Azure SQL Database, but in order to do so I need to create a server first. I want to create the server with an AD group as an administrator so I don't have passwords/secrets to manage. I also want to use managed identities for access.
Is there a way to get the group name and sid? When I create a resource in bicep (i.e. resource sqlAdminGroup...) and search for 'group', I don't see a
Here is my bicep code:
resource sqlServer 'Microsoft.Sql/servers#2022-02-01-preview' = {
name: '${namePrefix}sqlserver1'
location: location
properties: {
administrators: {
administratorType: 'ActiveDirectory'
azureADOnlyAuthentication: true
principalType: 'Group'
login: sqlAdminGroupName
sid: sqlAdminGroupObjectId
tenantId: subscription().tenantId
}
publicNetworkAccess: 'Enabled'
restrictOutboundNetworkAccess: 'Disabled'
//subnetId: resourceId('Microsoft.Network/virtualNetworks/subnets', virtualNetworkName, subnetName)
}
identity: {
type: 'SystemAssigned'
}
}
I assume this is a common approach but I have not really found much on it when searching. I would like to create the group if it doesn't exist and get the the login (sqlAdminGroupName) and sid (sqlAdminGroupObjectId) regardless for use in the above code.
Just got mine to work, maybe this help you as well, there were 2 things that I had to change to get mine to deploy.
First, did not specify admin login or password under properties, second, the 'login' string, does not have to be the same as your actual AAD group, in my instance, the AAD group had spaces in it and was causing an error.
Here is my bicep, maybe it helps you or someone:
resource sqlServer 'Microsoft.Sql/servers#2022-02-01-preview' = {
location: location
name: 'sql${name}'
properties: {
version: '12.0'
administrators: {
administratorType: 'ActiveDirectory'
principalType: 'Group'
login: 'MyFunkyAdminGroupNameNotSameAsAAD'
sid: '0000-my-aad-group-id-0000'
tenantId: subscription().tenantId
}
}
}
Getting error:waiting for deletion of Flexible Server Configuration (pgbouncer.enabled)
Once I change the configuration from portal the script works.
azurerm_postgresql_flexible_server_configuration" "pgbouncer"
{ name = "pgbouncer.enabled"
value = var.pgbouncer
server_id = azurerm_postgresql_flexible_server.pgsql.id
}
I've started mongod instance in kerberos auth mode.I'm able to connect from mongo shell.While connecting from java application,I get the following exception:
Key for the principal mongodb/****#**** not available in ***.keytab
[Krb5LoginModule] authentication failed
Unable to obtain password from user
My gss-jaas.conf is
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
useTicketCache=false
principal="mongodb/***#***"
doNotPrompt=true
keyTab="D:\***.keytab"
debug=true;};
I've used ktuil and executed following commands to write principal to keytab file.Can anyone help me to find out what's going wrong?
ktutil: add_entry -password -p mongodb/***#*** -k 1 -e des-cbc-md4
Password for mongodb/***#***:
ktutil: wkt /tmp/***.keytab
ktutil: quit
I've entered the password and also tried by skipping it with enter.In both the cases,I'm getting the above exception.I've used the following system properties in java application:
System.setProperty("java.security.krb5.conf","D:\\krb5.conf");
System.setProperty("java.security.auth.login.config","D:\\gss-jaas.conf");
System.setProperty("javax.security.auth.useSubjectCredsOnly","false");
System.setProperty("java.security.krb5.realm","****");
System.setProperty("java.security.krb5.kdc","*****");
kerberosCredential = MongoCredential.createGSSAPICredential(userName);
I am trying to formulate a connection to a PGSQL server that requires both a client certificate and key to operate.
First, I can verify connections to the Postgres database using SQLGate work. Provide host, User, password, port, database and mark Use SSL, then under SSL provide the Certificate and Key. The connection does not operate without either of those items. Using NPGSQL, I provide all but the key as for some reason NpgsqlConnectionStringBuilder does not contain a definition for some sort of client key.
var connectionString = new NpgsqlConnectionStringBuilder();
connectionString.Host = rInfo.Host;
int portNumber = 5432;
int.TryParse(rInfo.Port, out portNumber);
connectionString.Port = portNumber;
connectionString.Database = rInfo.dbName;
connectionString.Username = rInfo.Username;
connectionString.Password = rInfo.Password;
connectionString.SslMode = SslMode.Prefer;
connectionString.TrustServerCertificate = true;
connectionString.ClientCertificate = rInfo.CertFilePath;
//Poke the database, see if we can get in.
try
{
NpgsqlConnection npgsqlConnection = new NpgsqlConnection(connectionString.ToString());
npgsqlConnection.ProvideClientCertificatesCallback += provideCertificates;
npgsqlConnection.UserCertificateValidationCallback += validateCertificates;
npgsqlConnection.Open();
npgsqlConnection.Close();
return connectionString.ToString();
}
The exception is:
Error 28000 : connection requires a valid client certificate
Which is to be expected since I'm not providing the key anywhere. I have tried forcing the key to be added to the connection string via guessing:
connectionString.Add(new KeyValuePair<string, object?>("Client Key", rInfo.KeyFilePath));
But that's unrecognized. Libpq's PG Connect documentation labels it as sslkey, but that comes back as unrecognized as well. My best guess is using ProvideClientCertificatesCallback callback to provide the certificate, but I don't know how to have it pair with a key since it's just asking for an X509CertificateCollection.
The previous tool we were using was provided by Devart, but we have lost the license. We also will be connecting to a range of databases (with the same schema) instead of just one.
What are my options?
I am having an issue where I need to manually map the correct database to the domain instead of it being picked up from the connection argument.
I am using grails 3.2.8, plugin "org.grails.plugins:mongodb:6.1.0". I have both hibernate and mongodb plugin enabled.
I have define my connection URL as
//application.yml
mongodb:
url: 'mongodb://${MONGODB_USERNAME}:${MONGODB_PASSWORD}#${MONGODB_REPLICA_SET}/${MONGODB_DATABASE}?${MONGODB_CONNECTION_OPTIONS}'
My domain object is defined as :
class ReportData {
String id
Long someField
static mapWith = "mongo"
static mapping = {
//database "db-name" DOESN'T WORK WHEN COMMENTING OUT THIS LINE
}
}
Shouldn't the database(system property MONGODB_DATABASE) be picked up auto-magically from the connection url? I am not sure if this is a bug or I am missing some configuration aspect.
I realized that I had not added following in my build.gradle file:
bootRun {
systemProperties = System.properties
}
so my application environment settings were not even getting applied correctly and hence my connection url was invalid.
I found that detail here: http://docs.grails.org/latest/guide/conf.html