Greetings, * Wolff, Ken L (ken.l.wolff@xxxxxxxx) wrote: > Thanks again, everyone, for all the responses and ideas. I'm still getting caught up on the various responses but with respect to LDAP/AD, I truly wish it were an option. I agree with the various sentiments that AD authentication is more manageable, scalable, secure, etc. However, if there were one set of environs where you'd think we could rely exclusively on AD authentication, it would be SQL Server, which by default, relies on Windows & AD for its authentication. However, for our company, even in our SQL Server environments, we almost always have to resort to internal (SQL-authenticated) accounts at times for various reasons: usually because vendor software doesn't support AD authentication, but I've even heard some people mention docker containers can't use it, either. Full disclosure - I haven't run that last one down yet, have only heard it in passing so don't know the details. At least as it involves vendor software, most of that is built on top of libpq or JDBC and you can typically make them work with GSSAPI (which is basically Kerberos, and is what AD/SQL Server uses), which is what you want to be using. Don't think the "ldap" auth in PG is like SQL Server AD auth- it isn't, and "ldap" involves passing user's passwords around in the clear, it's not secure. So, you might not have as much need for local accounts as you do for SQL server, but it's certainly possible you'll end up needing them somewhere. And yes, you can certainly get GSSAPI/Kerberos to work in docker and in Kube, it's just more complicated due to sorting through DNS/rDNS and such, but it's been done (and I've done it :). Thanks! Stephen
Attachment:
signature.asc
Description: PGP signature
