On Fri, Aug 24, 2012 at 1:29 PM, Jeremy Palmer <JPalmer@xxxxxxxxxxxx> wrote:
Marcus' guide looks great.
So what's the pros/cons of using the Kerberos via GSSAPI method, rather than going for the SingleSignOn method mentioned by Sunday?
Cons:
More complicated to set up.
There are a few odd things about AD and Kerberos that take some getting used to. For example iirc, systems get keys rather than services, so your keytab ends up showing identical keys for every service on a machine
Pros:
Far more secure
True single-sign-on (users do not have to enter passwords).
Unlike LDAP does not require degrading DC security.
I would honestly go with GSSAPI.
It's not quite the same thing but a paper I wrote (published by Microsoft!) is likely to be helpful here:
The paper discusses using kerberized authentication for OpenSSH against AD. In principle, PostgreSQL should be relatively similar. The paper may be of help here.
Best Wishes,
Chris Travers