Bernd Lentes > Am 23.11.2018 um 20:14 schrieb Stephen Frost <sfrost@xxxxxxxxxxx>: > > > With LDAP, the user's password will be seen by the PostgreSQL server, > and sent over the wire in cleartext unless you're making sure to use TLS > on the connection to PG (and if you're doing that you really want to > make sure you have verify-full enabled on your clients....). > > With Kerberos/GSSAPI, the authentication tokens are encrypted by the KDC > (in your case, the AD domain controllers) and the user's password is > never exposed. > > Thanks! > > Stephen I‘m Not sure wether my Clients speak TLS. I‘m afraid they don‘t. But isn‘t then also the password transmitted in cleartext ? It must be transmitted from the client to the Pg Server, independent of using LDAP or Kerberos/GSSAPU. Bernd Helmholtz Zentrum Muenchen Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH) Ingolstaedter Landstr. 1 85764 Neuherberg www.helmholtz-muenchen.de Aufsichtsratsvorsitzende: MinDirig.in Petra Steiner-Hoffmann Stellv.Aufsichtsratsvorsitzender: MinDirig. Dr. Manfred Wolter Geschaeftsfuehrer: Prof. Dr. med. Dr. h.c. Matthias Tschoep, Heinrich Bassler, Dr. rer. nat. Alfons Enhsen Registergericht: Amtsgericht Muenchen HRB 6466 USt-IdNr: DE 12952167
