Is the PostgreSQL feature of authentication via LDAP available somehow when using the JDBC driver?
Looking at the JDBC driver documentation it doesn't look like it's supported.
If not - any idea as to how to customize the driver to get it working?
LDAP authentication is server-side. To the client it's the same as password (clear-text password, so use SSL!) authentication.
In src/backend/libpq/auth.c the auth request function void ClientAuthentication(Port *port) calls CheckLDAPAuth(port) if LDAP auth is matched in pg_hba.conf.
This does a:
sendAuthRequest(port, AUTH_REQ_PASSWORD);
just like password does.
Any client driver that supports password auth supports ldap. PgJDBC supports password.
The configuration options documented in the server docs are with reference to options set in postgresql.conf on the server side for authenticating users against the LDAP directory.
There is no change required to PgJDBC to use ldap auth.
Related
We recently migrated our DB to Mongo 4.0. We created a new user for the application and SCRAM-SHA-256 is enabled from the DB side. To my surprise, The existing mongo driver we are using is 3.8.2 is working fine without any changes in the config from the application side, I haven't specified the authMechanism param in the config. How does the client know the authentication mechanism?
My understanding is default mechanism would be SCRAM-SHA-1 will be considered and authentication should fail. I checked the code and I couldn't find how it is working, from some blogs I identified that isMaster will be called using saslSupportedMechs which will provide the supported SASL mechanisms, is my understanding right? where can I find this code in vertx mongo client?
MongoConnnection String:
mongoConnectionJson = new JsonObject().put("connection_string", "mongodb://testhost:6005")
.put("db_name", "test_db")
.put("username", "test_sha-256")
.put("password", "test_sha-256")
.put("authSource", "test_db");
The default auth mechanism selection may in theory differ from one driver to another but should be similar to the description here for the Ruby driver:
For MongoDB 4.0 and higher, the client performs SCRAM mechanism negotiation with the server. If the user specified in client configuration permits authentication with SCRAM-SHA-256, then SCRAM-SHA-256 is used for authentication. Otherwise SCRAM-SHA-1 is used.
For MongoDB 3.0 through 3.6, SCRAM-SHA-1 is used.
For MongoDB 2.6, MONGODB-CR is used.
How to pass in kerberos token for authentication to kerborized mongo cluster through restheart? Should I do some custom implementation?
FYI Kerberos Authentication works fine when I use native mongo client in java/scala.
Thanks In Advance
The current RESTHeart version 1.0.3 does not support Kerberos authentication.
However if you get the latest development version from github, it allows defining the MongoDB connection via a connection URI.
This should allow to use Kerberos authentication. However I haven't tried it yet.
The new configuration option is called mongo-uri.
I have a little problem with mongodb: when I connect to the http interface I have no problems, but if I try to connect after enabling authentication the browser ask me for username and password.
So far it's correct, but if I try to log in with the users I have created (one root on admin db, one userAdminAnyDatabase on admin and one dbOwner on my personal db) neither of them allows me to access! Does anyone know why? Thanks
I'll start with the usual caveat that you should not use the HTTP interface on any production system, ever - turn it off for prod. With that said, are you using MongoDB 3.0 (and in particular SCRAM SHA-1 credentials)?
The HTTP interface does not support that auth method, per the page linked:
Neither the HTTP status interface nor the REST API support the
SCRAM-SHA-1 challenge-response user authentication mechanism
introduced in version 3.0.
Hence, to use auth with the interface you will have to make sure you are using 2.6 or at least 2.6 style credentials.
I am looking for a single sign on approach for an ODBC connection to a Postgres database.
The plan is to login to a web application and then use a a single sign on scheme such as oauth or CAS to automatically login to a client application.
The client application does not verify the credentials itself, but uses them via ODBC to connect to the Postgres database server. Unlike web applications we cannot use a single databaes user here, but need individual database accounts for security reasons.
In theory Postgres does support PAM and PAM supports both CAS and oauth. But I was not able to find any documentation on that. Especially the part of how to specify the token in ODBC is unclear to me.
With PAM auth, keep in mind that this is a broad field and books could be written about it. I do something similar to what you do though and can answer the part about ODBC. The following provides a walkthrough for a related service you may find helpful:
http://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-secure-postgresql-using-two-factor-authentication-from-wikid
The big thing to remember is that with PAM the password provided is passed on to the PAM module, so you have to pass in the username and password. This gets sent to PAM as if the user was logging on to the system. Beyond that it's up to you to configure PAM appropriately for your service.
I'm trying to connect to gmail using a simple java program (like this one). But my question is:
Is there a way to do this with encrypted password and not the real password, for security reasons of course!! something like how we do in java-Oracle db ?
By default, the only authentication mechanism for IMAP is the LOGIN command, which takes an unencrypted username and password. You can add an encryption layer on top of it, either by connecting via IMAPs or starting a TLS layer via the STARTTLS command, but it still requires the client to know the cleartext password.
A server can optionally also provide SASL authentication methods invokable via the AUTHENTICATE command. The server advertises which SASL mechanisms it supports in its response to the CAPABILITY command. For instance, if the server includes the capability "AUTH=PLAIN", the client can use the PLAIN SASL authentication method via the AUTHENTICATE PLAIN IMAP command.
Gmail supports only one SASL authentication mechanism, XOAUTH:
C: 1 capability
S: * CAPABILITY IMAP4rev1 UNSELECT IDLE NAMESPACE QUOTA XLIST CHILDREN XYZZY
SASL-IR AUTH=XOAUTH
S: 1 OK Thats all she wrote! dv32if2169247ibb.17
XOAUTH is a nonstandard SASL authentication mechanism using OAuth. (The leading 'X' means it's not standardized.) Google has published a document defining the XOAUTH SASL mechanism. They've also provided a google-mail-xoauth-tools package, which includes sample code showing how to use JavaMail with Gmail via XOAUTH.