This topic describes how to configure an Active Directory (AD) domain controller for an Elastic Compute Service (ECS) instance and connect an ApsaraDB MyBase PostgreSQL instance to the AD domain.

Prerequisites

An ApsaraDB MyBase instance must use an internal IP address to connect to a self-managed domain. Make sure that the following requirements are met:
  • The ECS instance where the AD domain controller runs and the ApsaraDB MyBase instance reside in the same virtual private cloud (VPC).
  • The security group to which the ECS instance belongs is configured to allow access from the internal IP address of the ApsaraDB MyBase instance. For more information, see Add security group rules.
  • By default, the firewall feature of the ECS instance is disabled. If you have enabled the firewall feature, you must configure the firewall feature to allow access from the internal IP address of the ApsaraDB MyBase instance.

Background information

AD is a directory service that is provided by Microsoft. A directory is a hierarchical structure that stores information about the objects on the same LAN. An enterprise can store data, such as computer accounts, user accounts, and groups, in a directory. This way, the enterprise can improve data security and manage the data in a more convenient manner. ApsaraDB MyBase for PostgreSQL instances can be connected to self-managed AD domains for centralized management and user access security.
Note If you want to modify or import AD Domain Services (AD DS) information for an ApsaraDB MyBase for PostgreSQL instance, you must configure the pg_hba.conf file of the instance. The ApsaraDB MyBase console allows you to configure the AD DS feature and the pg_hba.conf file. For more information, see Introduction to pg_hba.conf file.

Step 1: Configure an AD domain controller for an ECS instance

  1. Log on to an ECS instance that runs on the Windows Server 2016 operating system.
    Note An AD domain controller must run on a Windows Server operating system. We recommend that you use Windows Server 2016 or a later version. In this example, the AD domain controller runs on the Windows Server 2016 operating system.
  2. Search for and open Server Manager.
  3. In the left-side navigation pane, click Dashboard. On the Dashboard page, click Add roles and features.
    Add roles and features
  4. In the Add Roles and Features Wizard dialog box, configure the parameters described in the following table.
    Tab Description
    Before You Begin Use the default settings.
    Installation Type Use the default settings.
    Server Selection Use the default settings.
    Server Roles
    • Select Active Directory Domain Services. In the dialog box that appears, click Add Features.
    • Select DNS Servers. In the dialog box that appears, click Add Features.
      Note Make sure that your computer uses a fixed IP address. If the IP address dynamically changes, the DNS server becomes unavailable.
    Features Use the default settings.
    AD DS Use the default settings.
    DNS Server Use the default settings.
    Confirmation Click Install.
  5. After the installation is complete, click Close to close the wizard.
  6. In the left-side navigation pane of the Server Manager page, click AD DS. Then, click More in the upper-right corner.
    More on the AD DS page
  7. In the All Servers Task Details and Notifications dialog box, click Promote this server to a domain controller.
    Promote this server to a domain controller
  8. In the Active Directory Domain Services Configuration Wizard dialog box, configure the parameters described in the following table.
    Tab Description
    Deployment Configuration Select Add a new forest and specify a Root domain name. In this example, pgsqldomain.net is used. Add a new forest and set a domain name
    Domain Controller Options Specify a Directory Services Restore Mode (DSRM) password. Set a DSRM password
    DNS Options Clear Create DNS delegation. Create DNS delegation
    Additional Options Use the default settings.
    Paths Use the default settings.
    Review Options Use the default settings.
    Prerequisites Check Click Install to promote this server to a domain controller.
    Note After you configure the domain controller, you must restart the ECS instance. Then, you can perform the subsequent steps.

Step 2: Add an administrator user to the AD domain controller

  1. Log on to the ECS instance. Search for and open Server Manager.
  2. In the left-side navigation pane of the Server Manager page, click AD DS. Right-click the domain controller that you want to configure and select Active Directory Users and Computers. Add an administrator user
  3. In the dialog box that appears, right-click Users in pgsqldomain.net and choose New > User. Add a user
  4. Specify a user logon name and click Next. Create a user
  5. Set a logon password, select Password never expires, and then click Next and Finish. Set a password
  6. Double-click the created user and add the user to the Domain Admins administrator group.
    Add the user to the administrator group
    The following figure shows the information displayed after the user is added to the Domain Admins administrator group.Result of adding the user to the administrator group

Step 3: Add a standard user to the AD domain controller

Note You can perform the same steps that are described in the "Step 2: Add an administrator user to the AD domain controller" section of this topic. A standard user does not need to be added to the Domain Admins administrator group.

In this example, a standard user named ldapuser is added to the AD domain controller. This user is used to log on to the ApsaraDB MyBase for PostgreSQL instance.

Step 4: Configure security group rules for the ECS instance

  1. Log on to the ECS console.
  2. In the left-side navigation pane, choose Instances & Images > Instances.
  3. In the top navigation bar, select a region.
  4. On the Instances page, find the ECS instance that runs on Windows Server 2016 and click the instance ID.
  5. Click the Security Groups tab. Find the security group to which you want to add rules and click Add Rules in the Actions column.
    Note A number of ports must be enabled for the AD domain controller. We recommend that you configure a separate security group for the AD domain controller rather than configuring the AD domain controller in the same security group as other ECS instances.
  6. On the Inbound tab, click Add Rule to allow the ApsaraDB MyBase instance to access the ECS instance over the ports described in the following table.
    Protocol type Port range Description
    TCP 88 The port for the Kerberos authentication protocol.
    TCP 135 The port for the Remote Procedure Call (RPC) protocol.
    TCP/UDP 389 The port for the Lightweight Directory Access Protocol (LDAP).
    TCP 445 The port for the Common Internet File System (CIFS) protocol.
    TCP 3268 The port for Global Catalog.
    TCP/UDP 53 The port for the DNS service.
    TCP 49152 to 65535 The default dynamic port range for connections. Enter a value in the following format: 49152/65535.

Step 5: Configure an ApsaraDB MyBase for PostgreSQL instance

  1. Log on to the ApsaraDB MyBase console.
  2. In the upper-left corner of the page, select a region.
  3. In the left-side navigation pane, choose Instances > PostgreSQL. On the page that appears, find the instance that you want to configure and click Details in the Actions column.
  4. In the left-side navigation pane, click Accounts. On the page that appears, create an account named ldapuser. For more information, see Create a database account. dbadminrds account
    Note The name of the account created in the ApsaraDB MyBase console must be the same as the name of the standard account created for the AD domain controller. The passwords of the two accounts can be different. When the AD domain controller is used to control user access, the password of the standard account created for the AD domain controller is verified. When the AD domain controller is not used to control user access, the password of the account created in the ApsaraDB MyBase console is verified.
  5. Click the AD Domain Services tab.
    The first time you click the AD Domain Services tab, the following default records are displayed:
    host    all            all    0.0.0.0/0    md5
host    replication    all    0.0.0.0/0    md5

    You can delete or modify these records.

  6. Click Edit corresponding to the first default record and modify the parameters described in the following table.
    Note The following table describes only the examples and meanings of parameters. For more information, see Official documentation of PostgreSQL.
    Parameter Example Description
    priority 0 The priority of the record, which is automatically generated. A value of 0 indicates the highest configuration priority of the AD DS feature.
    TYPE host The type of connections that can be verified by the record. Valid values:
    • host: The record verifies TCP/IP connections, including SSL connections and non-SSL connections.
    • hostssl: The record verifies TCP/IP connections that are established only by using SSL.
      Note This parameter takes effect only when SSL encryption is enabled. For more information, see Configure SSL encryption for an ApsaraDB RDS for PostgreSQL instance.
    • hostnossl: The record verifies TCP/IP connections that are established only by using non-SSL methods.
    DATABASE all The database that allows user access. A value of all indicates that all databases can be accessed. Separate multiple values with commas (,).
    USER ldapuser The user that is allowed to connect to the database. Separate multiple values with commas (,).
    Note Specify the username to the standard account created for the AD domain controller.
    ADDRESS 0.0.0.0/0 The IP address or CIDR block from which the user can connect to the database. A value of 0.0.0.0/0 indicates that the user can connect to the database from all IP addresses.
    MASK None The IP address mask. This parameter can be specified if the value of the ADDRESS parameter is an IP address.
    METHOD ldap
    Note Lightweight Directory Access Protocol (LDAP) is a protocol that is used to access the directories of databases. LDAP is used in this example.
    		The authentication method for the AD DS feature. Valid values:
    • trust
    • reject
    • scram-sha-256
    • md5
    • password
    • gss
    • sspi
    • ldap
    • radius
    • cert
    • pam
    Note Values of this parameter must be in lowercase letters.
    OPTION ldapserver=<Private IP address of the ECS instance> ldapbasedn="CN=Users,DC=pgsqldomain,DC=net" ldapbinddn="CN=<Username of the administrator user of the AD domain controller>,CN=Users,DC=pgsqldomain,DC=net" ldapbindpasswd="<Password of the administrator user>" ldapsearchattribute="sAMAccountName" An optional parameter. The value of this parameter depends on the value of the METHOD parameter. In this example, LDAP is used and you must configure this parameter. For more information, see LDAP Authentication.
  7. Click add corresponding to the first default record and specify the following information to create a record: 
    host    all     all    0.0.0.0/0    md5
  8. Click OK corresponding to the new record. In the upper-left corner of the tab, click Submit.
    Note After you click Submit, the state of the instance changes to Maintaining Instance. This process takes about 1 minute. The modified configurations take effect only for new connections. To make the new configurations take effect for existing connections, you must close the connections and reconnect to the instance.
  9. (Optional) Import the AD DS information in batches.
    The following import methods are supported:
    • Overwrite existing AD DS information
    • Append AD DS information (highest priority): Append AD domain records at the beginning of the existing AD DS information. The priority of the appended information is higher than that of the existing AD DS information.
    • Append AD DS information (lowest priority): Append AD domain records at the end of the existing AD DS information. The priority of the appended information is lower than that of the existing AD DS information.
    Valid format:
    TYPE|DATABASE|USER1|ADDRESS|MASK|METHOD|OPTION

    Enter the AD DS information that you want to import in the Edit AD domain text editor. For more information about the parameters, see the table in Step 5.

    Example:
    host|all|<Standard user of the AD domain controller>|0.0.0.0/0||ldap|ldapserver=<Private IP address of the ECS instance> ldapbasedn="CN=Users,DC=pgsqldomain,DC=net" ldapbinddn="CN=<Username of the administrator user of the AD domain controller>,CN=Users,DC=pgsqldomain,DC=net" ldapbindpasswd="<Password of the administrator user>" ldapsearchattribute="sAMAccountName"

Step 6: Test connectivity

Use a PostgreSQL command-line tool to connect to the ApsaraDB MyBase instance.

Note You can connect to the ApsaraDB MyBase instance by using multiple methods. In this example, a PostgreSQL command-line tool is used. You must install PostgreSQL before you use the PostgreSQL command-line tool. For more information, see Connect to an instance.

Run the following command to connect to the ApsaraDB MyBase instance by using the username and password of the standard user created for the AD domain controller: 

psql -h <Endpoint of the ApsaraDB MyBase instance> -U ldapuser -p 5432 -d postgres