This topic describes how to configure an Active Directory (AD) domain controller for an Elastic Compute Service (ECS) instance and connect an ApsaraDB RDS for PostgreSQL instance to a self-managed AD domain.

Background information

AD is a directory service that is provided by Microsoft. A directory is a hierarchical structure that stores information about the objects on the same LAN. An enterprise can store data, such as computer accounts, user accounts, and groups, in a directory. This way, the enterprise can improve the security of the data and manage the data in a more convenient manner.

You can connect your RDS instance to a self-managed AD domain. This way, you can manage your enterprise in a centralized manner and can configure IP addresses whitelists at the database level and the user level to improve the security of your data.

Note You can modify the information of the AD domain controller in the pg_hba.conf file of your RDS instance or add the information of the AD domain controller in the pg_hba.conf file of your RDS instance. You can configure the AD domain controller and the pg_hba.conf file in the ApsaraDB RDS console. For more information, see Introduction of pg_hba.conf file.

Prerequisites

  • Your RDS instance runs one of the following database engine versions:
    • Major engine version: PostgreSQL 10, PostgreSQL 11, PostgreSQL 12, PostgreSQL 13, or PostgreSQL 14.
    • Minor engine version: 20210228 or later. For more information about how to update the minor engine version of your RDS instance, see Update the minor engine version of an ApsaraDB RDS for PostgreSQL instance.
    • Your RDS instance uses standard SSDs or enhanced SSDs (ESSDs).
  • An ECS instance is created. For more information, see Create an ECS instance. Your RDS instance must access the self-managed AD domain by using a private IP address. Therefore, the ECS instance must meet the following conditions:
    • The ECS instance and your RDS instance reside in the same virtual private cloud (VPC).
    • The security group to which the ECS instance belongs is configured to allow access from the private IP address of your RDS instance. For more information, see Add security group rules.
    • The firewall feature of the ECS instance is disabled by default. If the firewall feature is enabled for the ECS instance, you must configure the firewall feature to allow access from the private IP address of your RDS instance.
    • The image of the ECS instance runs Windows Server 2016 or a later version.
  • The domain account belongs to the Domain Admins group.
  • Your Alibaba Cloud account is used to log on to the ApsaraDB RDS console.

Procedure

  1. Configure an AD domain controller for the ECS instance.
    1. Log on to the ECS instance.
      Note The AD domain controller must run in a Windows Server operating system. We recommend that you use Windows Server 2016 or a later version. In this procedure, the AD domain controller runs in the Windows Server 2016 operating system.
    2. Search for and open Server Manager.
    3. In the left-side navigation pane, click Dashboard. On the Dashboard page, click Add roles and features.
      Add roles and features
    4. In the Add Roles and Features Wizard, configure the following parameters.
      Tab Description
      Before You Begin Use the default settings.
      Installation Type Use the default settings.
      Server Selection Use the default settings.
      Server Roles
      • Select Active Directory Domain Services. In the dialog box that appears, click Add Features.
      • Select DNS Servers. In the dialog box that appears, click Add Features.
        Note Make sure that your computer uses a fixed IP address. If the IP address dynamically changes, the DNS server becomes unavailable.
      Features Use the default settings.
      AD DS Use the default settings.
      DNS server Use the default settings.
      Install Click Install to add the role that you configured.
    5. After the role is added, click Close to close the wizard.
    6. In the left-side navigation pane of the Server Manager, click AD DS. In the upper-right corner of the page that appears, click More.
      More icon of the AD DS page
    7. In the All Servers Task Details and Notifications wizard, click Promote this server to a domain controller.
      Promote this server to an AD domain controller
    8. In the Active Directory Domain Services Configuration wizard, configure the following parameters.
      Tab Description
      Deployment Configuration Click Add a new forest and set a Root domain name. In this procedure, pgsqldomain.net is used. Add a new forest and set a domain name
      Domain Controller Options Set a Directory Service Restore Mode (DSRM) password. Set a DSRM password
      DNS Options Clear Create DNS delegation. Create DNS delegation
      Additional Options Use the default settings.
      Path Use the default settings.
      Review Options Use the default settings.
      Prerequisite Check Click Install to promote this server to an AD domain controller.
      Note After the service is promoted to an AD domain controller, you must restart the ECS instance. Then, you can perform the subsequent steps.
  2. Add an administrator user to the AD domain controller.
    1. Log on to the ECS instance. Then, search for and open Server Manager.
    2. In the left-side navigation pane of the Server Manager page, click AD DS, right-click the AD domain controller that you want to configure, and then select Active Directory Users and Computers. Add a ad user
    3. Click the pgsqldomain.net, right-click Users, and then choose New > User.Add a user
    4. Set the user logon name and click Next. New user
    5. Set a logon password, select Password never expires, and then click Next and Finish. Sets a password
    6. Double-click the created user and add the user to the Domain Admins administrator group. Add the user to the administrator group
      After you add the user to the Domain Admins administrator group, the following information appears:The following information appears
  3. Add a standard user to the AD domain controller for logon.
    Note You must perform the same procedures that are described in the "Add an administrator user to the AD domain controller" section of this topic. A standard user does not need to be added to the Domain Admins administrator group.

    In this procedure, a standard user named ldapuser is added to the AD domain controller. This user is used to log on to the RDS instance.

  4. Configure security group rules for the ECS instance.
    1. Log on to the ECS console.
    2. In the left-side navigation pane, choose Instances & Images > Instances.
    3. In the top navigation bar, select the region where the ECS instance resides.
    4. On the Instances page, find the ECS instance that runs Windows Server 2016 and click the ID of the ECS instance.
    5. In the left-side navigation pane, click Security Groups. On the page that appears, click Add Rules.
      Note A number of ports need to be enabled for the AD domain controller. We recommend that you configure a separate security group for the AD domain controller rather than configuring the AD domain controller in the same security group as other ECS instances.
    6. On the Inbound tab, click Add Rule to allow your RDS instance to access the ECS instance over the following ports.
      Protocol type Port Range Description
      TCP 88 The port for the Kerberos authentication protocol.
      TCP 135 The port for the Remote Procedure Call (RPC) protocol.
      TCP/UDP 389 The port for the Lightweight Directory Access Protocol (LDAP).
      TCP 445 The port for the Common Internet File System (CIFS) protocol.
      TCP 3268 The port for Global Catalog.
      TCP/UDP 53 The port for the DNS service.
      TCP 49152 to 65535 The default dynamic port range for connections. Enter a value in the following format: 49152/65535.
  5. Configure your RDS instance.
    1. Visit the RDS instance list, select a region above, and click the target instance ID.
    2. Create an account named ldapuser. For more information, see Create an account on an ApsaraDB RDS for PostgreSQL instance. dbadminrds account
      Note The username of the account of your RDS instance must be the same as the name of the standard user that is created for the AD domain controller. The passwords of the two accounts can be different. When the AD domain controller is used to control user access, the AD domain controller verifies the password of the standard user. When the AD domain controller is not used to control user access, ApsaraDB RDS verifies the password of the account of your RDS instance. You can set the password of the account on the Accounts page in the ApsaraDB RDS console.
    3. In the left-side navigation pane, click Accounts. On the page that appears, click the AD Domain Services tab.
      If the AD Domain Service tab is opened for the first time, ApsaraDB RDS creates the following two records by default:
      host    all            all    0.0.0.0/0    md5
host    replication    all    0.0.0.0/0    md5

      You can delete or modify those two records.

    4. Click the Edit button of the first default record and modify the following parameters.
      Note The following table describes only the parameters that are used in the provided example. For more information, see Official documentation of PostgreSQL.
      Parameter Value example Description
      priority 0 This parameter specifies the priority of an AD domain. If the value of this parameter is 0, the AD domain has the highest priority and is automatically generated. Modify the first record and set this parameter to 0. The value 0 specifies the highest priority for the AD domain service.
      TYPE host This parameter specifies the type of connection that is verified by your RDS instance. Valid values:
      • host: The AD domain verifies TCP/IP connections, including SSL connections and non-SSL connections.
      • hostssl: The AD domain verifies only TCP/IP connections that are established over SSL connections.
        Note This parameter takes effect only when SSL encryption is enabled for your RDS instance. For more information, see Configure SSL encryption for an ApsaraDB RDS for PostgreSQL instance.
      • hostnossl: The AD domain verifies only TCP/IP connections that are established over non-SSL connections.
      DATABASE all This parameter specifies the database that the specified users are allowed to access. If the value of this parameter is all, the specified users are allowed to access all databases of your RDS instance. If you specify multiple databases, separate the database names with commas (,).
      USER ldapuser This parameter specifies the user that is allowed to access your RDS instance. Valid values: the created usernames of the AD domain controller. If you specify multiple users, separate the usernames with commas (,).
      Note This parameter can be set only to the usernames of standard users that are created in the AD domain.
      ADDRESS 0.0.0.0/0 This parameter specifies the IP addresses from which the specified users can access the specified databases. If the value of this parameter is 0.0.0.0/0, the users are allowed to access the databases from all IP addresses.
      MASK None This parameter specifies the mask of your RDS instance. If the value of the ADDRESS parameter is an IP address, you can use this parameter to specify the mask of the IP address.
      METHOD ldap
      Note LDAP is a protocol that is used to access the directories of databases. In this topic, LDAP is used as an example.
      		This parameter specifies the authentication method of LDAP. Valid values:
      • trust
      • reject
      • scram-sha-256
      • md5
      • password
      • gss
      • sspi
      • ldap
      • radius
      • cert
      • pam
      Note The valid values of this parameter must be in lowercase letters.
      OPTION ldapserver= <The private IP address of the ECS instance> ldapbasedn="CN=Users,DC=pgsqldomain,DC=net" ldapbinddn="CN= <The username of the administrator user of the AD domain controller> ,CN=Users,DC=pgsqldomain,DC=net" ldapbindpasswd=" <The password of the administrator user of the AD domain controller> " ldapsearchattribute="sAMAccountName" Optional. The value of this parameter is based on the value of the METHOD parameter. In this topic, LDAP is used as an example. You must configure this parameter. For more information, see Authentication Methods.
    5. Click add to add a new record. The following information provides the valid values of the new record. 
      host    all            all    0.0.0.0/0    md5
    6. Click OK., and click Submit.
      Note After you click the Submit button, the status of your RDS instance changes to Maintaining Instance. This process takes about 1 minute. The new configurations take effect only for new connections. You must close the existing connections and re-establish these connections.
  6. (Optional) You can manually add the service information of the AD domain. In addition, ApsaraDB RDS for PostgreSQL also allows you to import the service information of multiple AD domains at a time.
    The following three import methods are supported:
    • Overwrite existing service information
    • Additional service information (highest priority): Append the service information of the AD domain to the beginning of the existing service information. The priority of the appended information is higher than the priority of the existing service information.
    • Additional service information (lowest priority): Append the service information of the AD domain to the end of the existing service information. The priority of the appended information is lower than the priority of the existing service information.
    Valid format:
    TYPE|DATABASE|USER1|ADDRESS|MASK|METHOD|OPTION

    Enter the service information that you want to import in the Edit AD domain text box. For more information about the parameters, see the table in Step 5.

    Examples:
    host|all|<The username of the standard user of the AD domain controller>|0.0.0.0/0||ldap|ldapserver=<The private IP address of the ECS instance> ldapbasedn="CN=Users,DC=pgsqldomain,DC=net" ldapbinddn="CN=<The username of the administrator user of the AD domain controller>,CN=Users,DC=pgsqldomain,DC=net" ldapbindpasswd="<The password of the administrator user of the AD domain controller>" ldapsearchattribute="sAMAccountName"
  7. Test the connection.
    Use a PostgreSQL command-line tool to connect to your RDS instance.
    Note You can connect to your RDS instance by using multiple methods. In this topic, a PostgreSQL command-line tool is used. You must install PostgreSQL before you use the PostgreSQL command-line tool. For more information, see Connect to an ApsaraDB RDS for PostgreSQL instance.

    Run the following command to connect to your RDS instance and use the username and password of the standard user of the AD domain controller: 

    psql -h <The endpoint of your RDS instance> -U ldapuser -p 5432 -d postgres

View the modification history of AD domain service information

  1. Visit the RDS instance list, select a region above, and click the target instance ID.
  2. In the left-side navigation pane, click Accounts. On the page that appears, click the AD Domain Services Edit History tab.
  3. You can view changedetails in the Actions column. If the modification fails, the status is Not Taking Effect. You can click Change Log to view the error message.