Dear Stephen, You're absolutely right, the mapping work very well.
I've created 2 "service user" on Active Directory (postgres and postgres_dev), and generated the keytab like this: ktpass -out postgres_pg1.keytab -princ postgres/pgdomt1.ad....@ad.com -mapUser AD\postgres -pass 'UserPass1' -mapOp add -crypto ALL -ptype KRB5_NT_PRINCIPAL ktpass -out postgres_pg2.keytab -princ postgres/pgdomt2.ad....@ad.com -mapUser AD\postgres_dev -pass 'UserPass2' -mapOp add -crypto ALL -ptype KRB5_NT_PRINCIPAL Thank you very much for your help. ________________________________ De : Stephen Frost <sfr...@snowman.net> Envoyé : 29 avril 2019 13:35 À : Jean-Philippe Chenel Cc : pgsql-general@lists.postgresql.org Objet : Re: 9.6.9 Default configuration for a default installation but different with-krb-srvnam Greetings, * Jean-Philippe Chenel (jp.che...@live.ca) wrote: > If I understand, the mapping can be done in the pg_ident.conf file ? No, you do the mapping in AD. Look at the '/princ' and '/mapuser' options used in the ktpass command here: https://info.crunchydata.com/blog/windows-active-directory-postgresql-gssapi-kerberos-authentication How to setup Windows Active Directory with PostgreSQL GSSAPI Kerberos Authentication - info.crunchydata.com<https://info.crunchydata.com/blog/windows-active-directory-postgresql-gssapi-kerberos-authentication> info.crunchydata.com PostgreSQL provides a many authentications methods to allow you to pick the one that makes the most sense for your environment. This guide will show you how to use your Windows Active Directory to authenticate to PostgreSQL via GSSAPI Kerberos authentication. Thanks, Stephen
