Differences

This shows you the differences between two versions of the page.

--- admin:processes:db_accounts [2017/01/19 15:35] – [PostgreSQL (Shinji)] localadmin
+++ admin:processes:db_accounts [2017/03/25 23:22] (current) – [PostgreSQL (Shinji)] localadmin
@@ Line 18: / Line 18: @@
 ===== MS SQL Student Server (msdb.cs.ndsu.nodak.edu) =====
-------
+{{:line.png?nolink|}}
 This server exists solely for students to use in coursework.  (Back in the Helsene Dynasty, students were using Gendo for their coursework.  Gendo is also the database used by VMware, which made us scared enough to spawn up another box.).  Every database account on this machine is a local SQL account (thus not using Windows Authentication, which seemed easiest).
@@ Line 26: / Line 27: @@
 ===== MS SQL (Gendo) Production Server =====
-----
+{{:line.png?nolink|}}
 ^ Server ^ Account purpose ^ Authentication source ^
 | gendo.cs.ndsu.nodak.edu | Student account :?:| Computer Science domain |
@@ Line 99: / Line 101: @@
 ===== Oracle (Asuka) =====
-----
+{{:line.png?nolink|}}
+<color #ed1c24>Oracle accounts are now done through CCAST.</color>
 ^ Server ^ Account purpose ^ Authentication source ^
 | asuka.cs.ndsu.nodak.edu | student/application account | Local to Oracle server |
@@ Line 172: / Line 177: @@
 Accounts can also be made using the TOra Security Manager. Users created in this way need to be given a random password, and the CSCI366 role. They also need to be given the default and temporary tablespace 'USERS'
 ===== MySQL (Rei) =====
-----
+{{:line.png?nolink|}}
 ^ Server ^ Account purpose ^ Authentication source ^
 | rei.cs.ndsu.nodak.edu | student/application account | Local to mySQL server |
@@ Line 198: / Line 208: @@
 ** USERS THAT ALREADY HAVE ACCOUNTS WILL CAUSE ISSUES WITH THESE SCRIPTS.** Currently, users that currently have DB accounts should NOT be fed into the script, it will cause the process to fail. The script should be modified such that the DB is checked for an existing account for each user.
 ===== PostgreSQL (Shinji) =====
-----
+{{:line.png?nolink|}}
+<color #ed1c24>Postgres hasn't been offered by the department since at least 2014 if not earlier.</color>
 ^ Server ^ Account purpose ^ Authentication source ^
 | shinji.cs.ndsu.nodak.edu | student account | Computer Science domain |
@@ Line 216: / Line 231: @@
 For login roles that are to authenticate with student accounts (via PAM), generate a very long (32-character or so) password and enter a comment indicating that the account is using PAM for authentication.
+==== Auth ====
+PostgreSQL uses the file at /etc/postgresql/8.4/main/pg_hba.conf to define authentication and authorization. //(As of Jan 2017. postgresql 9.5)//
+This file works in a method such that the first applicable match for 'type', 'database', 'host' and 'username' dictate how the user can auth. Lines should go from the most specific at the top to the most general at the bottom.
+The file has 5 entries per line: 'type', 'database', 'user', 'host', and 'method'.
+^ Entry ^ Purpose ^
+| type | matches based on the type of access |
+| database | matches based on the database being requested |
+| user | matches based on username of the connecting client |
+| host | matches based on the host/IP of the connecting client, CIDR addresses are usable, leave blank for type 'local' |
+| method | defines the method of authentication |
+^ type ^ description ^
+| local | local machine connection |
+| host | network-based connection |
+| hostssl | SSL-based network connection |
+^ method ^ description ^
+| md5 | auths against password in the database |
+| ident | local system account authentication |
+| gss | kerberos ticket based authentication |
+| pamservice=<SERVICE> | PAM-based authentication, using service defined by <SERVICE> |
+There is a list of accounts enabled for PAM-based auth in /etc/postgresql/8.4/main/pam_accounts.
+On any modifications to pam_accounts or pg_hba.conf, you need to reload postgres.