Answer the question
In order to leave comments, you need to log in
How to organize end-to-end GSSAPI / Kerberos authentication in Postgres from a Rails application?
Hello.
Faced the problem of organizing pass-through authentication in Postgres.
Used by: Apache2.2 + mod_auth_kerb + Passenger 5 + Rails 4.1.4 + Postgres 9.4
Negotiate options are configured in Firefox, KrbSaveCredentials on is set in virtualhost.
User authentication in Apache is successful, in the application I see the REMOTE_USER and KRB5CCNAME headers.
A file whose name contains KRB5CCNAME (eg FILE:/tmp/krb5cc_apache_lQ0O1c) does not (already) exist on the system at the time the request is processed by the application.
It turns out to authenticate in Postgres via Kerberos from the system console:
kinit myuser
psql "dbname=mydb user=myuser krbsrvname=postgres"
From the application, when processing a request, I try to establish a connection with the transfer of username, krbsrvname parameters. Crashes with error:
PG::ConnectionBad (GSSAPI continuation error: Unspecified GSS failure. Minor code may provide more information
GSSAPI continuation error: No Kerberos credentials available
):
activerecord (4.1.4) lib/active_record/connection_adapters/postgresql_adapter.rb:888 :in `initialize'
activerecord (4.1.4) lib/active_record/connection_adapters/postgresql_adapter.rb:888:in `new'
activerecord (4.1.4) lib/active_record/connection_adapters/postgresql_adapter.rb:888:in `connect'
activerecord (4.1.4) lib/active_record/connection_adapters/postgresql_adapter.rb:568:in `initialize'
activerecord (4.1.4) lib/active_record/connection_adapters/postgresql_adapter.rb:41:in `new'
activerecord (4.1.4) lib/active_record/connection_adapters/postgresql_adapter.rb:41:in `postgresql_connection'
activerecord (4.1.4) lib/active_record/connection_adapters/abstract/connection_pool.rb:435:in `new_connection'
Any ideas?
Answer the question
In order to leave comments, you need to log in
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question