Re: User Authentication: LDAP and "local" accounts concurrently ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Greetings,

* Lentes, Bernd (bernd.lentes@xxxxxxxxxxxxxxxxxxxxx) wrote:
> ----- On Nov 23, 2018, at 4:17 PM, Stephen Frost sfrost@xxxxxxxxxxx wrote:
> > * Lentes, Bernd (bernd.lentes@xxxxxxxxxxxxxxxxxxxxx) wrote:
> >> i created a Postgres Server 9.6 on a SLES 12 SP3 box. In our institution we have
> >> a Windows ADS which i like to use to authenticate users via LDAP.
> > 
> > For running PostgreSQL in a Windows ADS environment, you should really
> > be using GSSAPI / Kerberos and *not* using LDAP authentication.
> > 
> > GSSAPI / Kerberos is what Windows uses to authenticate users and
> > services and it's much more secure than using LDAP.
> 
> thanks for your answer. I'm not familiar with LDAP, GSSAPI and Kerberos.
> Why is it more secure ?

With LDAP, the user's password will be seen by the PostgreSQL server,
and sent over the wire in cleartext unless you're making sure to use TLS
on the connection to PG (and if you're doing that you really want to
make sure you have verify-full enabled on your clients....).

With Kerberos/GSSAPI, the authentication tokens are encrypted by the KDC
(in your case, the AD domain controllers) and the user's password is
never exposed.

Thanks!

Stephen

Attachment: signature.asc
Description: PGP signature


[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux