Postgresql – Active Directory to authenticate user access to Postgres DB through ODBC driver. Is this possible

active-directoryodbcpostgresql

I need for a user to logon to a Postgres DB through either MS Excel or Power BI, without entering any credentials, using solely their Active Directory login. I'm mainly a BI Developer and not usually part of the infrastructure side of things, but I've been tasked with finding out if this is at least feasible.

Am I right in thinking that this would be a pretty normal task within Microsoft infrastructure?

User signs on with AD to domain/their machine
AD grants access to something like SQL server (I take through some native MS protocol, not ODBC)
Excel(MS Query)/PowerBI from the users desktop rides that connection to allow the tool(s) seamless access to data as defined by their AD access rights.

The aim is to remove any additional credential entry by the user into either of the tools, because there'd be a high user turnover and user access to data sets must be stringently managed.

I imagine there would be back and forth between the AD admins and the DBA to facilitate user creation and access control at both ends, and I know postgres itself is AD/LDAP compliant, so some kind of access is possible. I'm just not sure if point 3, the seamless connection is possible.

Best Answer

Active Directory has 3 kinds of authentication: NTLM (NT LAN Manager), Kerberos (GSSAPI), and LDAP. Active Directory is essentially a fancy LDAP server with extra authentication mechansims

LDAP is centralized authentication, but not single sign-on. Your password is the same as when you login to your computer, but you need to login to the database again

NTLM is single sign-on, but only works on Windows. PostgreSQL supports it via SSPI

Kerberos is also single sign-on, but works with Windows and UNIX/Linux/Mac too. You login to your computer, get a Kerberos ticket, and Postgres uses this ticket to authenticate you. Postgres needs to be setup as Service Principal in Active Directory

I would say that Kerberos or SSPI is what you want.

Start with https://www.postgresql.org/docs/current/static/auth-methods.html

Related Solutions

Windows – Oracle Database Enterprise Users & Roles with Microsoft Active Directory

The application I maintain does something similar that is database OS independent for around 100 users but in a much simpler fashion. Users are authenticated by the application and authorized from the database. Here are the details:

a table for users including their email and enabled/disabled status
a table of all AD groups that have a specific prefix to indicate that they are application groups (eg: APP_ADMINS, APP_USERS)
a table with group/user links

The next part is synchronizing the information. In our organization if new users are added or permissions for existing users are changed IT does the job in the morning. The application typically has a window of low usage overnight (ie: not 24 hours a day/usage).

On the application web server we have a windows service which syncs the groups and users. On the database at night I run a scheduled job which truncates the group-user links and recreates them by a direct query to Active Directory using DBMS_LDAP.

For your purposes you would want to write a more sophisticated package that has a database package running three LDAP queries to synchronize groups, users and group users instead of my truncate solution.

I found DBMS_LDAP to be powerful but poorly documented. If the IT department should happen to change the OU that users are in you don't get a lot of useful information from the Oracle end.

Tim's site was very useful with this article and here has the code I reused.

Edit: There are two parts to using an application:

who are you? (authentication) if you do not supply a name and password listed in Active Directory you are not allowed past the log in page.
what are you allowed to do? (authorization) Here is where the granularity of permissions has a wide range. We have limited ourselves to a basic set of operations on a portion of a unit of work: Read, Update, Assign other users, Unassign other users. Our permissions are not so granular so they can be worded as "User X has select on this table". They can be better said as "User X can update this portion of the file if they are assigned".

In part this is driven by the application. It creates a pooled connection to the database as required. Users log onto the application but connect to the database as a shared user who has all the permissions required.

To go into a more detailed example: User X logs in. They have a username and password that matches what is in Active Directory. After authentication they are taken to the main page. During that time the application queries the database for what permissions this user has and caches them in memory. The main page loads each sub work area. Each area asks the cached permissions: - "Do you have authority to see this area?". If so show the work area. - " Do you have permission to edit this area?" If so show an edit/create link.

Edit2: The original poster comments that

We are trying to replicate the user permissions onto application to DB permissions onto database objects.

This sounds like a square peg/round hole problem to me. Your business logic may be defined as User X needs select on this table but if you ask the user they are working with the application. They need to be able to work with whatever the application is displaying. It is common to group tables and views and custom filters to show what the user needs in the application. This is why some applications find it easier to enforce authorization at the application level. What is it about your application that requires database permissions to be replicated in Active Directory?

Sql-server – ODBC connection for Active Directory user who doesn’t log in to Windows

Although you cannot login to SQL Server unless you use either a SQL Server Login or a Windows Account with permissions to connect to the SQL Server, you could create a low-permission user that can EXEC certain stored procedures. Those stored procedures could then contain code that switches into the context of another, more highly privileged account.

EXECUTE AS Login = 'DOMAIN\User';
SELECT * FROM sys.databases;
REVERT

Best Answer

Related Solutions

Windows – Oracle Database Enterprise Users & Roles with Microsoft Active Directory

Sql-server – ODBC connection for Active Directory user who doesn’t log in to Windows

Related Question