Greetings, * Geoff Winkless (pgsqladmin@xxxxxxxx) wrote: > On Wed, 6 May 2020, 14:28 Stephen Frost, <sfrost@xxxxxxxxxxx> wrote: > > * Geoff Winkless (pgsqladmin@xxxxxxxx) wrote: > > > On Wed, 6 May 2020 at 00:05, Tim Cross <theophilusx@xxxxxxxxx> wrote: > > > > Where Tom's solution fails is with smaller companies that cannot afford > > > > this level of infrastructure. > > > > > > Is there an objection to openldap? > > > > LDAP-based authentication in PG involves passing the user's password to > > the database server in the clear (or tunneled through SSL, but that > > doesn't help if the DB is compromised), so it's really not a good > > solution > > If your DB is compromised then (if the LDAP server is only used for the db) > what difference does it make to lose the passwords? Seems rather unlikely to be reasonable to set up an LDAP server for every independent DB, but if you really want to go down that route, you're very likely to end up in the same situation- users will reuse their password from their AD account (and/or somewhere else). > I was (as per the thread) suggesting a simple way for small companies to > achieve the OP's requirements without a large infrastructure investment and > without involving the pg team undertaking the rediscovery of novel circular > transportation-assisting devices. The OP's comment was actually that they *have* AD in place, but there's cases where they don't want to use AD for one reason or another. Suggesting setting up another service like OpenLDAP seems unlikely to really answer that, but who knows. > Any large company will have an AD or similar setup already, clearly I'm not > suggesting using it in that situation. Except that's the case that was presented here- they have AD but they don't want to use it for some subset of accounts. > AIUI you can configure kerberos with openldap if that's more your thing, > fwiw, but then IME the learning curve (and thus setup cost) increases > exponentially. Yes, you can set up OpenLDAP with Kerberos auth through SASL, you just need an appropriate service princ from a KDC (eg: Active Directory, MIT Kerberos, or Heimdal). Isn't terribly hard, and is part of what's called "LDAPv3", which is when SASL support was added (RFC 2251... from 1997). I have to admit that I've not tried to make PG w/ 'ldap' auth use Kerberos to connect to an LDAP server. While it likely could be done, in such a case you've already got a KDC and presumably would rather be using Kerberos to auth to all of your services, including PG. Thanks, Stephen
Attachment:
signature.asc
Description: PGP signature
