Pivotal Knowledge Base

Follow

How to configure PAM for authenticating Greenplum Users

Environment

Product Version
Pivotal Greenplum (GPDB) All versions
OS  

Purpose

How to configure Pluggable Authentication Modules (PAM) for Greenplum?

Resolution

Follow the steps below for example. In this example, the goal is to enable PAM authentication for Greenplum user "alice."

  • Create a Linux user

In this example, create a Linux user named "alice" with password "alice," and su to "alice" for testing.

[gpadmin@mdw pg_log]$ su - alice
Password:
[alice@mdw ~]$
  • Configure Greenplum for PAM

Add one line in pg_hba.conf for "alice" with authentication method "pam."

[gpadmin@mdw]$ more pg_hba.conf
host    all     alice   0.0.0.0 0.0.0.0 pam
  • Create /etc/pam.d/postgresql with content as follows
[gpadmin@mdw]$ more /etc/pam.d/postgresql
#%PAM-1.0
auth      include      system-autha
ccount    include      system-auth
password  include      system-auth
session   include      system-auth
  • Change permission for /etc/shadow permission file to 404.
[gpadmin@mdw]$ ls -l /etc/shadow
-r-----r-- 1 root root 2221 Oct 24 13:26 /etc/shadow
  • Create a role named "alice" in Greenplum with login permission.
=# create role alice with login;
CREATE ROLE
  • Try to connect to Greenplum using user "alice" via PAM.
[gpadmin@mdw]$ psql -U alice -h mdw
Password for user alice:
Timing is on.
psql (8.2.15)
Type "help" for help.
viadea=>

Reference

  • PAM link for postgresql: Link
  • Linux PAM introduction: Link

Comments

Powered by Zendesk