Greetings, * C GG (cgg0007@xxxxxxxxx) wrote: > This is PostgreSQL 9.5 -- We just enabled LDAP(S) authentication (to an > Active Directory server) for a certain grouping of users You really shouldn't be using LDAP auth to an Active Directory system. Active Directory supports Kerberos, which is a much more secure way to authenticate. > I'm getting complaints from the users authenticating using ldap that > database operations are taking quite a bit longer than they were previously > when they were authenticating with MD5 stored passwords. Clearly, there's > more machinery at work with that kind of operation, but the increase in > time is way more that I would have estimated. Using Kerberos/GSSAPI will be much faster as you only need to get a ticket and then that can be reused to authenticate multiple times to the database without having to contact the LDAP server. > I still want them to be able to type in a password, so GSSAPI is out for an > alternative (right?) ... Is there something I can do to help speed things > up? If there any telemetry that I can generate (logs, stats, etc.) which > might be able to pinpoint a bottleneck? What's the reason for wishing for them to "be able to type in a password"? With GSSAPI/Kerberos, users get true single-sign-on, so they would log into the Windows system with a password and then have a TGT which can be used to authenticate to other services without having to type in their password over and over again. Thanks! Stephen
Attachment:
signature.asc
Description: PGP signature
