[Gnumed-devel] other authentication methods

[Syan Tan]

some homework on ldap, kerberos , bind and postgres:

- kerberos could be used as an all in one authentication method.   users login with kinit, manage their passwords with kpasswd.

allows combined authenticated access to ldap and postgres. postgres user names must be the name of the principal being

used to login. (e.g.  there also has to be a gm-dbo/localhost.localdomain principal , if the host is localhost and the domain is localdomain).
postgresql needs to exist as a principal, and the principal name has to be postgres/hosturl where hosturl is the

host and domain used.  the instructions in postgresql admin guide work exactly - i.e. use ank -randkey followed by ktadd -k krb5.keytab

where krb5.keytab should be readable by the postgres unix user, so need to chown postgres.postgres on say /etc/postgresql/8.0/main/krb5.keytab   ( this would be a choice of a location for the postgres's keytable).

in pg_hba.conf,  an entry with a the intranet CIDR should be used along side the 127.0.0.1  default host entry,

e.g. 192.168.1.6/32  where 192.168.1.6  is mapped to whatever is the host and domain names used for the postgres/ principal.

after that , psql -U gm-dbo -h myhost.mydomain  gnumed_v2  should work after a kinit . various errors include

permission denied ( the krb5.keytab that postgresql.conf points isn't readable by postgres unix user),  key wrong version ( use the

postgresql admin guide steps as above to generate the copy of the postgres principal key), hostname problems ( try setting

/etc/hosts with explicit mapping of say 192.168.1.6 to myhost.mydomain)

 Gnumed doesn't use psql  so will it work using dbapi ?  yes it does :  once a user kinit's as an authenticate kerberos user, then

dbapi will allow a connect to a dbapi dsn  *which doesn't have a password*. ( as long as the server side of the kerberos keytable

setup has been done).  On the other hand, if you "kdestroy" the credential's cache in /tmp/krb5cc_nnnn   then dbapi (pyPgSQL.PgSQL) won't connect in python, and if you kinit -p  as  a principal whose name before the slash doesn't correspond with a registered

postgres user, dbapi will come back with user doesn't exist.

so kerberos will more or less work out the box with gnumed and with ldap so both can be used together.

BTW theres a gui for ldap  called luma which could be used as the update manager for a ldap address book for gnumed ; it's in

python-qt and is a package on debian testing.  work wouldr still need to be done when associating site encryption certificates and signing using PKCS12 attributes of senders, in order to properly intergrate sending documents in gnumed ( but maybe the agent could be

kmail or some other mail client that also reads ldap directories, and can use pki attributed objects ; this would save some programming).