Connection Manager Authentication v6.4.0

Suggest edits

Connection Manager's authentication is configured through Postgres's own pg_hba.conf file. Connection Manager uses the same authentication methods as Postgres.

Connection Manager connection types

Connection Manager supports the following connection types in pg_hba.conf:

  • host - TCP/IP connections
  • hostssl - TCP/IP connections with SSL
  • hostnossl - TCP/IP connections without SSL

Connection Manager authentication methods

Connection Manager supports the following authentication methods in pg_hba.conf:

  • trust - No authentication
  • reject - Reject the connection
  • md5 - MD5 password authentication
  • scram-sha-256 - SCRAM-SHA-256 password authentication
  • ldap - Authenticate using an LDAP server
  • cert - SSL certificate authentication. Not recommended. See Using client certificate authentication.
Note

Connection Manager needs to be able to authenticate to the PGD nodes as the client user. Configure the pg_hba.conf file on each PGD node to accept connections originating from other PGD nodes for replication and internal communications.

When using a certificate authentication method, the Connection Manager presents its server key. You must configure the PGD node to accept this certificate from the Connection Manager address.

Connection Manager supports the use of ssl_passphrase_command to decrypt the server key, provided the key is in PKCS#8 format with AES encryption.

Using client certificate authentication

We recommend against using client certificate (cert) authentication with Connection Manager.

Client certificates cannot be forwarded. Therefore, when using cert authentication, Connection Manager's connection to the PGD node must be configured to use a different authentication method, such as trust.

When using cert authentication, Connection Manager supports pg_ident.conf for user identity mapping.

Connection Manager authentication options

Connection Manager also supports regular expression matching for the user and database fields in pg_hba.conf. This allows you to specify a pattern for matching user and database names, making it easier to manage authentication for multiple users and databases.

Group membership checks are also supported. This allows you to specify a group of users that can connect to the database, rather than specifying each user individually.

Unsupported pg_hba.conf rules

Where a rule is not supported by Connection Manager, it will be logged as a warning and ignored.

LDAP authentication notes and constraints

Connection Manager supports the same LDAP authentication features as PostgreSQL, with the following key constraints:

  • Connection Manager does not use the OpenLDAP library for communication with the LDAP server. As a result, standard OpenLDAP configuration files (such as ldap.conf or .ldaprc) and environment variables are ignored.
  • Connection Manager validates LDAP server certificates by default when using LDAPS or LDAP StartTLS. The necessary CA certificate for the LDAP server's SSL certificate must be in the system trust-store.
  • Suppress validation of the LDAP server's SSL certificate by setting LDAPTLS_REQCERT=never environment variable. Other values for this variable are ignored.
← Prev

Connection Manager overview

↑ Up

Connection Manager

Next →

Connection pooling