Hi Stephen, > On 08. Jan, 2021, at 22:59, Stephen Frost <sfrost@xxxxxxxxxxx> wrote: > > Done correctly, the developers will hopefully be going from "this stupid > thing prompts me to provide a username/password in order to log in" to > "no more prompt for logging in, it just *works*". Further, as Magnus > explained, you could actually have the mapping to allow user X to log in > by providing GSSAPI credentials Y, if they are actually still going to > be including some username in their connection request to PG (even > though they shouldn't need to, since it'll be the same between their > local Windows/AD login and the GSSAPI user that PG will see). You > should be able to make both work concurrently thanks to pg_ident.conf. I agree. But the company policy is to have users being asked each time they want to login somewhere, no matter where. We need to use an RSA tamagotchi at least twice to even get somewhere close to being able to launch a tool like DbVisualizer or SQL Developer. If we want a shell on a server, we need to use the tamagotchi even one more time. And then, for such tools, or in fact anything, "no more prompt" unfortunately is just no option. Some call that security, I call that paranoia. This is why I don't care whether GSSAPI is more secure than LDAPS. The whole environment is stuffed inside some network zone which is stuffed into another network zone, then divided into again some other network zones inside, etc. LDAP and AD are in separate zones than the databases, developer's and admin's machines are again in some other network zone. Even some databases have their own network zones. You get the picture... The best thing is: they still call this single sign on because you get to use the same username everywhere. rotfl >From the network perspective, Magnus is right. We have a hacky environment. But architecture is not something I have an influence on. Cheers, Paul
