* u235sentinel (u235sentinel@xxxxxxxxx) wrote: > We would have to rebuild the binaries and we're already heavily using > the database. I could rebuild it again but it's like the fourth time > I've been asked to add a feature. I did read that GSSAPI was the way to > go but I'm being told to try using LDAP instead. I don't have a lot of > experience with either but I'll be able to figure it out I think :-) Perhaps you should look at how the package managers under Debian or RedHat build PG and turn on a similar set of options.. They typically try to turn on everything possible and when they have to make choices they go with what would be appropriate for most. That would probably reduce the amount of rebuilding you need to do.. Or you could just use packages to begin with and probably would have avoided this entirely. :) Using LDAP to do pass-thru auth is really horrid when Kerberos is available, if you ask me. It's also alot more fragile and will cause problems when users change their passwords and they have them stored in things like ODBC settings, etc. With LDAP auth, users still have to provide their password to the database server which then turns around and tries to use the users' credentials to bind to the LDAP directory. You'll also really want to make sure you're doing SSL for your database connections and SSL on your LDAP connections. Thanks, Stephen
Attachment:
signature.asc
Description: Digital signature
